This page explains how to automatically sendSecurity Command Center findings,assets, and security sources toElastic Stack without using a Dockercontainer. It also describes how to manage the exported data. Elastic Stack is asecurity information and event management (SIEM) platform that ingests data fromone or more sources and lets security teams manage responses to incidents andperform real-time analytics. The Elastic Stack configuration discussed in thisguide includes four components:

• Filebeat: a lightweight agent installed on edge hosts, such as virtualmachines (VM), that can be configured to collect and forward data
• Logstash: a transformation service that ingests data, maps it intorequired fields, and forwards the results to Elasticsearch
• Elasticsearch: a search database engine that stores data
• Kibana: powers dashboards that let you visualize and analyze data

Upgrade to the latest release

To upgrade to the latest release, you must deploya Docker container image that includes theGoApp module. For more information, seeExporting assets and findings with Docker and Elastic Stack.

To upgrade to the latest release, complete the following:

1. Deletego_script.service from//etc/systemd/system/.
2. Delete theGoApp folder.
3. Delete Logstash configurations.
4. Deletelogstash2.service.
5. Deletefilebeat.service.
6. Optionally, to avoid issues when importing the new dashboards, remove the existing dashboards from Kibana:
   1. Open the Kibana application.
   2. In the navigation menu, go toStack Management, and then clickSaved Objects.
   3. Search forGoogle SCC.
   4. Select all the dashboards that you want to remove.
   5. ClickDelete.
7. Add theLogs Configuration Writer (roles/logging.configWriter) role to the service account.
8. Create aPub/Sub topic for your audit logs.
9. Optionally, if you are installing the Docker container in another cloud,configure workload identity federation instead of using service account keys.You must createshort-lived service account credentials and download the credential configuration file.
10. Complete the steps inDownload the GoApp module.
11. Complete the steps inInstall the Docker container.
12. Complete the steps inUpdate permissions for audit logs.
13. Import all the dashboards, as described inImport Kibana dashboards.

Use the instructions inExporting assets and findings with Docker and Elastic Stackto administer your SIEM integration.

Manage service and logs

This section explains how to viewGoApp module logs and make changes to themodule's configuration.

This section applies only to theGoApp module that youinstalled from theGoogleSCCElasticIntegration installation package that was made available in February 2022. For up-to-date information, seeUpgrade to the latest release.

1. Check the status of the service:

     systemctl | grep go_script

2. Check the current working logs, which contain information on executionfailures and other service information:

     sudo journalctl -f -u go_script.service

3. Check historical and current working logs:

     sudo journalctl -u go_script.service

4. To troubleshoot or check the logs ofgo_script.service:

   catgo.log

Uninstall the GoApp module

Uninstall theGoApp module when you no longer wish to retrieve Security Command Center data for Elastic Stack.

This section applies only to theGoApp module that youinstalled from theGoogleSCCElasticIntegration installation package that was made available in February 2022. For up-to-date information, seeUpgrade to the latest release.

1. Deletego_script.service from//etc/systemd/system/.
2. Remove feeds for assets and IAM policies.
3. Remove Pub/Sub for assets, IAM policies, andfindings.
4. Delete the working directory.

Configure Elastic Stack applications

This section explains how to configure Elastic Stack applications to ingestSecurity Command Center data. The instructions assume you properly installed andenabled Elastic Stack, and that you have root privileges in the applicationenvironment.

This section applies only to theGoApp module that youinstalled from theGoogleSCCElasticIntegration installation package that was made available in February 2022. For up-to-date information, seeUpgrade to the latest release.

View Logstash service logs

To view current logs, run the following command:

    sudo journalctl -f -u logstash2.service

To view historical logs, run the following command:

    sudo journalctl -u logstash2.service

Uninstall the service

1. Delete Logstash configurations.
2. Deletelogstash2.service.

Set up Filebeat

This section applies only to theGoApp module that youinstalled from theGoogleSCCElasticIntegration installation package that was made available in February 2022. For up-to-date information, seeUpgrade to the latest release.

View Filebeat service logs

To view current logs, run the following command:

    sudo journalctl -f -u filebeat.service

To view historical logs, run the following command:

    sudo journalctl -u filebeat.service

Uninstall the service

1. Delete logstash configurations.
2. Deletefilebeat.service.

View Kibana dashboards

You can use custom dashboards in Elastic Stack to visualize and analyzeyour findings, assets, and security sources. The dashboards display criticalfindings and help your security team prioritize fixes.

This section applies only to theGoApp module that youinstalled from theGoogleSCCElasticIntegration installation package that was made available in February 2022. For up-to-date information, seeUpgrade to the latest release.

Overview

TheOverview dashboard contains a series of charts that displays the totalnumber of findings in your organization by severity level, category, and state.Findings are compiled from Security Command Center's built-inservices—Security Health Analytics,Web Security Scanner,Event Threat Detection, andContainer Threat Detection—andany integrated services you enable.

Additional charts show which categories, projects, and assets are generatingthe most findings.

Assets

TheAssets dashboard displays tables that show your Google Cloud assets. Thetables show asset owners, asset counts by resource type and projects, and yourmost recently added and updated assets.

You can filter asset data by time range, resource name, resource type, owner,and project, and quickly drill down to findings for specific assets. If youclick an asset name, you are redirected to Security Command Center'sAssets pagein the Google Cloud console and shown details for the selected asset.

Findings

TheFindings dashboard includes a table showing your most recent findings.You can filter the data by resource name, category, and severity.

Table columns include finding name, in the format oforganizations/<var>ORGANIZATION_ID</var>/sources/<var>SOURCE_ID</var>/findings/<var>FINDING_ID</var>,category, resource name, event time, create time, parent name, parent URI, andsecurity marks. The format of parent URI matches finding name. If you click afinding name, you are redirected to Security Command Center'sFindings page inthe Google Cloud console and shown details for the selected finding.

Sources

TheSources dashboard shows the total number of findings and securitysources, the number of findings by source name, and a table of all your securitysources. Table columns include name, display name, and description.

Edit dashboards

Add columns

1. Navigate to a dashboard.
2. ClickEdit, and then clickEdit visualization.
3. UnderAdd sub-bucket, selectSplit rows.
4. In the list, selectAggregation.
5. In theDescending drop-down menu, select ascending or descending. In thesize field, enter the maximum number of rows for the table.
6. Select the column you want to add.
7. Save the changes.

Remove columns

1. Navigate to the dashboard.
2. ClickEdit.
3. To hide columns, next to the column name, click the visibility, or eye, icon.To remove the column, next to the column name, click on theX, or delete, icon.

What's next

• Upgrade to the latest versionto integrate Security Command Center with Elastic Stack.

• Learn more about setting upfinding notifications inSecurity Command Center.

• Read aboutfiltering finding notificationsin Security Command Center.