This page explains how to automatically sendSecurity Command Center findings,assets, and security sources toCortex XSOAR. It also describeshow to manage the exported data. Cortex XSOAR is a security orchestration,automation, and response (SOAR) platform that ingests security data from one ormore sources and lets security teams manage responses to incidents. You can useCortex XSOAR to view your Security Command Center findings and assets, and to updatefindings when issues are resolved.

In this guide, you ensure that the required Security Command Center and Google Cloudservices are properly configured, and enable Cortex XSOAR to access findings andassets in your Security Command Center environment. Some of the instructions on thispage are compiled from Cortex XSOAR'sintegrations guideon GitHub.

Before you begin

This guide assumes you have a working version of Cortex XSOAR. To get startedwith Cortex XSOAR,sign up.

Configure authentication and authorization

Before connecting to Security Command Center to Cortex XSOAR, you need tocreate an Identity and Access Management (IAM) service account in each Google Cloud organization and grant that accountboth the organization-level and project-levelIAM roles that Cortex XSOAR needs.

Create a service account and grant IAM roles

The following steps use the Google Cloud console. For other methods,see the links at the end of this section.

Complete these steps for each Google Cloud organization that you want to import Security Command Centerdata from.

1. In the same project in which you create your Pub/Sub topics, use theService Accounts page in the Google Cloud console tocreate a service account. For instructions, seeCreating and managing service accounts.

2. Grant the service account the following role:

   • Pub/Sub Editor (roles/pubsub.editor)

3. Copy the name of the service account that you just created.

4. Use the project selector in the Google Cloud console to switchto the organization level.

5. Open theIAM page for the organization:

   Go to IAM

6. On the IAM page, clickGrant access. The grantaccess panel opens.

7. In theGrant access panel, complete the following steps:

   1. In theAdd principals section in theNew principals field,paste the name of the service account.

   2. In theAssign roles section, use theRole field to grant thefollowing IAM roles to the service account:

   3. Security Center Admin Editor (roles/securitycenter.adminEditor)
   4. Security Center Notification Configurations Editor(roles/securitycenter.notificationConfigEditor)
   5. Organization Viewer (roles/resourcemanager.organizationViewer)
   6. Cloud Asset Viewer (roles/cloudasset.viewer)

   7. ClickSave. The service account appears on thePermissions tabof theIAM page underView by principals.

      By inheritance, the service account also becomes a principal in allchild projects of the organization. The roles that are applicable atthe project level are listed as inherited roles.

For more information about creating service accounts and granting roles, seethe following topics:

• Creating and managing service accounts
• Granting, changing, and revoking access to resources

Provide the credentials to Cortex XSOAR

Depending on where you are hosting Cortex XSOAR, how you provide theIAM credentials to Cortex XSOAR differs.

• If you are hosting Cortex XSOAR in Google Cloud, consider the following:

  • The service account that you created and the organization-level roles thatyou granted to it are available automatically by inheritance from the parentorganization. If you are using multiple Google Cloud organizations, add thisservice account to the other organizations and grant it the IAM roles that are described in steps 5 to 7 ofCreate a service account andgrant IAM roles.

  • If you deploy Cortex XSOAR in a service perimeter, create the ingress andegress rules. For instructions, seeGranting perimeter access inVPC Service Controls.

• If you are hosting Cortex XSOAR in your on-premises environment, and youridentity provider supportsworkload identity federation,configure workload identity federation anddownload the credentials configuration files. Otherwise,create a service account keyfor each Google Cloud organization in JSON format.

  Note: Service account keys are a security risk if not managed correctly. You should choose a more secure alternative to service account keyswhenever possible. If you must authenticate with a service account key, you are responsible for thesecurity of the private key and for other operations described by Best practices for managing service account keys.If you are prevented from creating a service account key, service account key creation mightbe disabled for your organization. For more information, see Managing secure-by-default organization resources.

  If you acquired the service account key from an external source, you must validate it before use.For more information, see Security requirements for externally sourced credentials.

• If you are hosting Cortex XSOAR in Microsoft Azure or Amazon Web Services,configure workload identity federationanddownload the credentials configuration files.If you are using multiple Google Cloud organizations, add this service accountto the other organizations and grant it the IAM roles that are described insteps 5 to 7 ofCreate a service account and grant IAM roles.

Configure notifications

Complete these steps for each Google Cloud organization that you want to import Security Command Centerdata from.

1. Set up finding notifications asfollows:

   1. Enable the Security Command Center API.
   2. Create a filter to export findings.
   3. Create aPub/Sub topic for findings.TheNotificationConfig must use the Pub/Sub topic youcreate for findings.

2. Enable the Cloud Asset APIfor your project.

You will need your organization ID, project ID, and the Pub/Subsubscription ID from this task to configure Cortex XSOAR. To retrieve yourorganization ID and project ID, seeRetrieving your organization IDandIdentifying projects,respectively.

Configure Cortex XSOAR

When granted access, Cortex XSOAR will receive findings and assets updates inreal time.

To use Security Command Center with Cortex XSOAR, perform the following steps:

1. Install the Google Cloud SCCcontent pack from the Cortex XSOAR Marketplace.

   The content pack is a module maintained by Security Command Center that automates theprocess of scheduling Security Command Center API calls and regularly retrievesSecurity Command Center data for use in Cortext XSOAR.

2. In the Cortex XSOAR application menu, navigate toSettings, and thenclickIntegrations.

3. UnderIntegrations, selectServers & Services.

4. Search for and selectGoogleCloudSCC.

5. To create and configure a new integration instance, clickAdd instance.

6. Enter information into the following fields as needed:

   Parameter	Description	Required
   Service Account Configuration	One of the following, as described inBefore you begin: The contents of the Service Account JSON file, if you created a service account key The contents of the credential configuration file, if you are using workload identity federation	True
   Organization ID	The ID for your organization	True
   Fetch incidents	Enables fetch incident	False
   Project ID	The ID of the project to use for fetching incidents; if empty, the ID of the project contained in the provided JSON file is used	False
   Subscription ID	The ID of your Pub/Sub subscription	True
   Max Incidents	The maximum number of incidents to fetch during each retrieval	False
   Incident type	The type of incident	False
   Trust any certificate (not secure)	Enables to trust on all certificates	False
   Use system proxy settings	Enables system proxy settings	False
   Incidents Fetch Interval	Time between retrievals for updated incident information	False
   Log Level	The log level for the content pack	False

7. ClickTest.

   If the configuration is valid, you see a "success" message. If invalid, youget an error message.

8. ClickSave and exit.

9. Repeat steps 5 to 8 for each organization.

Cortex XSOAR automatically maps fields from Security Command Center findings toappropriate Cortex XSOAR fields. To override selections or learn more aboutCortex XSOAR, readproduct documentation.

The configuration of Cortex XSOAR is complete. TheManage findings and assets section explainshow to view and manage Security Command Center data in the service.

Upgrade the Google Cloud SCC content pack

This section describes how to upgrade from a previous version.

1. Access the latest version of Google Cloud SCCcontent pack from the Cortex XSOAR Marketplace.

2. ClickDownload with Dependencies.

3. ClickInstall.

4. ClickRefresh content.

The upgrade maintains your previous configuration information. Touse workload identity federation, add the configuration file, asdescribed inConfigure Cortex XSOAR.

Manage findings and assets

You can view and update assets and findings using Cortex XSOAR's command lineinterface (CLI). You can run commands as part of automated triaging andremediation, or in a playbook.

For names and descriptions of all supported methods and arguments for CortexXSOAR's CLI, and output examples, seeCommands.

Findings are compiled from Security Command Center's built-inservices—Security Health Analytics,Web Security Scanner,Event Threat Detection, andContainer Threat Detection—andany integrated services you enable.

List assets

To list your organization's assets, use Cortex XSOAR'sgoogle-cloud-scc-asset-list method. For example, the following command listsassets wherelifecycleState isActive and limits the response to threeassets:

!google-cloud-scc-asset-list pageSize="3" activeAssetsOnly=TRUE

The exclamation symbol (!) in code samples is a required symbol to startcommands in Cortex XSOAR. It doesn't represent negation or NOT.

!google-cloud-scc-asset-resource-list assetType="compute.googleapis.com/Disk" pageSize=2

!google-cloud-scc-finding-list severity="CRITICAL" sourceTypeId="-" pageSize="3" state="ACTIVE"

!google-cloud-scc-finding-list filter="findingClass=\"THREAT\""

!google-cloud-scc-finding-update name="organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID" severity="CRITICAL"

• <var>ORGANIZATION_ID</var> with your organization ID. To retrieve yourorganization ID and project ID, seeRetrieving your organization ID.
• <var>SOURCE_ID</var> with the ID of the security source. To find a source ID, seeGetting the source ID.
• <var>FINDING_ID</var> with the finding ID that is included in finding details.

Update finding status

You can update the status of a finding by using Cortex XSOAR'sgoogle-cloud-scc-finding-status-update command. You must provide thename, orrelative resource name, of the finding, using the following format:organizations/ORGANIZATION_ID/sources/SOURCE_ID/finding/FINDING_ID.

For example, the following command sets the finding status to active:

!google-cloud-scc-finding-status-update name="organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID" state="ACTIVE"

Replace the following:

• <var>ORGANIZATION_ID</var> with your organization ID. To retrieve yourorganization ID and project ID, seeRetrieving your organization ID.
• <var>SOURCE_ID</var> with the ID of the security source. To find a source ID, seeGetting the source ID.
• <var>FINDING_ID</var> with the finding ID that is included in finding details.

Get asset owners

To list the owners of an asset, use Cortex XSOAR'sgoogle-cloud-scc-asset-owner-get command. You must provide the project name inthe form ofprojects/PROJECT_NUMBER. Forexample, the following command lists the owner of the provided project.

!google-cloud-scc-asset-owner-get projectName="projects/PROJECT_NUMBER"

To add multiple projects to the command, use a comma separator, for example,projectName="projects/123456789, projects/987654321"

What's next

• Learn more about setting upfinding notifications inSecurity Command Center.

• Read aboutfiltering finding notificationsin Security Command Center.