Integrate Security Command Center Enterprise with ticketing systems

Enterpriseservice tier

This document explains how to integrate the Enterprise tier of Security Command Centerwith ticketing systems after configuring security orchestration, automation, andresponse (SOAR).

Integrating with ticketing systems is optional and requires manualconfiguration. If you use the default Security Command CenterEnterprise configuration, you don't need to perform this procedure. You canintegrate with a ticketing system later at any time.

Overview

You can track findings using the console and APIs with the defaultSecurity Command Center Enterprise configuration. If your organization uses ticketing systems to trackissues, integrate with Jira or ServiceNow after you have configured yourGoogle Security Operations instance.

Upon receiving findings for resources, theSCC Enterprise – Urgent PostureFindings Connector analyzes and groups them into new or existing cases,depending on the finding type.

If you integrate with a ticketing system, Security Command Center creates a newticket every time it creates a new case for findings. Security Command Centerautomatically updates the related ticket whenever a case is updated.

A single case can contain multiple findings. Security Command Centercreates one ticket for each case and synchronizes the case content andinformation with the corresponding ticket to let ticket assignees know what toremediate.

The synchronization between a case and its ticket works both ways:

  • Changes within a case, such as a status update or new comment, areautomatically reflected in the associated ticket.

  • Similarly, ticket details synchronize back to the case, enriching it withinformation from the ticketing system.

Before you begin

Before configuring Jira or ServiceNow, provide a valid email addressfor theFallback Owner parameter in theSCC Enterprise –Urgent Posture Findings Connector, and make sure that this email is assignablein your ticketing system.

Integrate with Jira

Make sure to complete all integration steps to synchronize the caseupdates with Jira issues and ensure the correct playbook flow.

Acase priority is reflected in the Jiraissue severity.

Create a new project in Jira

To create a new project in Jira for the Security Command Center Enterprise issuescalledSCC Enterprise Project (SCCE), run a manual action in the case. Youcan use any existing case or simulate one. For more information about simulatingcases, refer to theSimulate casespage in the Google SecOps documentation.

Creating a new Jira project requires Jira admin-level credentials.

Note: To create a new Jira project and configure the custom issue layout, useyour Jira admin credentials.

To create a new Jira project, complete the following steps:

  1. In the Google Cloud console, go toRisk> Cases.
  2. Select an existing case or the one that you've simulated.
  3. In theCase Overview tab, clickManual Action.
  4. In the manual actionSearch field, enterCreate SCC Enterprise.
  5. In search results under theSCCEnterprise integration, select theCreate SCC Enterprise Cloud Posture Ticket Type Jira action. The dialogwindow opens.

  6. To configure theAPI Root parameter, enter the API root of yourJira instance, such ashttps://YOUR_DOMAIN_NAME.atlassian.net

  7. To configure theUsername parameter, enter the username that you use tosign in to Jira as an administrator.

  8. To configure thePassword parameter, enter the password that you use tosign in to Jira as an administrator.

  9. To configure theAPI Token parameter, enter the API token of yourAtlassian admin account that was generated in the Jira console.

  10. ClickExecute. Wait until the action is completed.

Optional: Configure custom Jira issue layout

  1. Sign in to Jira as an administrator.
  2. Go toProjects> SCC Enterprise Project (SCCE).
  3. Adjust and reorder issue fields. For more details about managing issue fields,seeConfiguring issue field layout in Jira documentation.

Configure Jira integration

Note: To configure the Jira integration, use credentials for a regular Jira userwith permissions to create and update issues in the newly created project.
  1. In the Google Cloud console, go toResponse> Playbooksto open the Security Operations console navigation.
  2. In the Security Operations console navigation, go toResponse> Integrations Setup.
  3. Select theDefault Environment.
  4. In the integrationSearch field, enterJira. TheJiraintegration returns as a search result.
  5. ClickConfigure Instance.The dialog window opens.

  6. To configure theAPI Root parameter, enter the API root of yourJira instance, such ashttps://YOUR_DOMAIN_NAME.atlassian.net

  7. To configure theUsername parameter, enter the username that you use tosign in to Jira. Don't use your admin credentials.

  8. To configure theAPI Token parameter, enter the API token of yournon-admin Atlassian account that was generated in the Jira console.

  9. ClickSave.

  10. To test your configuration, clickTest.

Enable the Posture Findings With Jira playbook

  1. In the Google Cloud console, go toResponse> Playbooks to openthe Security Operations consolePlaybooks page.
  2. In the PlaybookSearch bar, enterGeneric.
  3. Select thePosture Findings - Generic playbook. This playbook is enabledby default.
  4. Switch the toggle todisable the playbook.
  5. ClickSave.
  6. In the PlaybookSearch bar, enterJira.
  7. Select thePosture Findings With Jira playbook. This playbook is disabledby default.
  8. Switch the toggle toenable the playbook.
  9. ClickSave.

Integrate with ServiceNow

Make sure to complete all integration steps to synchronize theupdates of Google SecOps cases with ServiceNow tickets andensure the correct playbook flow.

Create and configure ServiceNow custom ticket type

Make sure to create and configure the ServiceNow custom ticket typeenable the Activities tab in the ServiceNow UI and avoid using the erroneousticket layout.

Create ServiceNow custom ticket type

Creating a custom ServiceNow ticket type requires ServiceNow admin-levelcredentials.

To create a custom ticket type, complete the following steps:

  1. In the Google Cloud console, go toRisk> Cases.
  2. Select an existing case or the one you've simulated.
  3. In theCase Overview tab, clickManual Action.
  4. In the manual actionSearch field, enterCreate SCC Enterprise.
  5. In search results under theSCCEnterprise integration, select theCreate SCC Enterprise Cloud Posture Ticket Type SNOW action. The dialogwindow opens.

  6. To configure theAPI Root parameter, enter the API root of yourServiceNow instance, such ashttps://INSTANCE_NAME.service-now.com/api/now/v1/

  7. To configure theUsername parameter, enter the username that you use tosign in to ServiceNow as an administrator.

  8. To configure thePassword parameter, enter the password that you use tosign in to ServiceNow as an administrator.

  9. To configure theTable Role parameter, leave the field empty or providea value if you have one. This parameter only accepts one role value.

    By default, theTable Role field is empty. You must create a new custom role inServiceNow to specifically manage the Security Command Center Enterprise tickets.Only ServiceNow users granted this new custom role have access to theSecurity Command Center Enterprise tickets.

    If you already have a dedicated role for users who manage incidents inServiceNow and you'd like to use this role for managing the Security Command CenterEnterprise findings, enter the existing ServiceNow role name in theTable Role field. For example, if you provide the existingincident_handler_role value, all of the users who are granted theincident_handler_role role in ServiceNow can access theSecurity Command Center Enterprise tickets.

  10. ClickExecute. Wait until the action is completed.

Configure ServiceNow custom ticket layout

To ensure that the ServiceNow web interface accurately displays the updates related to casesand case comments, complete the following steps:

  1. In your ServiceNow administrator account, go to theAll tab.
  2. In theSearch field, enterSCC Enterprise.
  3. In the drop-down list, select theSCC Enterprise Cloud Posture Ticketand run a search.
  4. Select thePosture Test Ticket. The ServiceNow ticket layout page opens.
  5. At the ServiceNow ticket layout page, go toAdditional actions>Configure> Form Layout.
  6. Go to theForm view and section section.
  7. In theSection field, selectu_scc_enterprise_cloud_posture_ticket.
  8. ClickSave. After the page updates, the ticket template has fieldsthat are distributed into two columns.
  9. Go toAdditional actions> Configure> Form Layout.
  10. Go to theForm view and section section.
  11. In theSection field, selectSummary.
  12. ClickSave. After the page updates, the ticket template displays the newSummary structure.

Configure ServiceNow integration

  1. In the Google Cloud console, go toResponse> Playbooksto open the Security Operations console navigation.
  2. In the Security Operations console navigation, go toResponse>Integrations Setup.
  3. Select theDefault Environment.
  4. In the integrationSearch field, enterServiceNow. TheServiceNowintegration returns as a search result.
  5. ClickConfigure Instance.The dialog window opens.

  6. To configure theAPI Root parameter, enter the API root of yourServiceNow instance, such ashttps://INSTANCE_NAME.service-now.com/api/now/v1/

  7. To configure theUsername parameter, enter the username that you use tosign in to ServiceNow. Don't use your admin credentials.

  8. To configure thePassword parameter, enter the password that you use tosign in to ServiceNow. Don't use your admin credentials.

  9. ClickSave.

  10. To test your configuration, clickTest.

Enable the Posture Findings With SNOW playbook

  1. In the Google Cloud console, go toResponse> Playbooks.
  2. In the PlaybookSearch bar, enterGeneric.
  3. Select thePosture Findings - Generic playbook. This playbook is enabledby default.
  4. Switch the toggle todisable the playbook.
  5. ClickSave.
  6. In the PlaybookSearch bar, enterSNOW.
  7. Select thePosture Findings With SNOW playbook. This playbook is disabledby default.
  8. Switch the toggle toenable the playbook.
  9. ClickSave.

Enable case data synchronization

Security Command Center automatically synchronizes the information between a caseand its corresponding ticket, ensuring matching priority, status, comments, andother relevant data between a case and its ticket.

To synchronize case data, Security Command Center uses internal automatic processescalled synchronization jobs. TheSync SCC-Jira Tickets andSyncSCC-ServiceNow Tickets jobs synchronize case data between Security Command Centerand integrated ticketing systems. Both jobs are initially disabled and requireyou to enable them to initiate automatic case data synchronization.

Closing a case automatically resolves the corresponding ticket. Resolving aticket in Jira or ServiceNow triggers the synchronization jobs to close the casetoo.

Before you begin

To enable case synchronization, you must be granted any of the following SOC roles on theSOAR settings page:

  • Administrator
  • Vulnerability Manager
  • Threat Manager

For more details about SOC roles and permissions required for users,seeControl access to features in Security Operations console pages.

Enable synchronization for ticketing systems

To ensure that the information in cases and tickets is automaticallysynchronized, enable the synchronization job that is relevant to the ticketingsystem that you integrated with.

To enable the synchronization job, complete the following steps:

  1. In the Google Cloud console, go to Security Command Center.

    Go to Security Command Center

  2. In the navigation menu, clickResponse> Playbooks.ThePlaybooks page opens in the Security Operations console.

  3. ClickResponse> JobScheduler.

  4. Choose the correct synchronization job:

    • If you integrated with Jira, selectSync SCC-Jira Tickets job.

    • If you integrated with ServiceNow, selectSync SCC-ServiceNow Ticketsjob.

  5. Switch the toggle to enable the selected job.

  6. ClickSave to enable Security Command Center automatically synchronize casedata with a ticketing system.

Create tickets for existing cases

Security Command Center automatically creates tickets only for cases opened after youhave integrated with a ticketing system and does not retroactively attach newplaybooks to existing alerts. To create tickets for cases opened beforeintegrating with a ticketing system, use one of the following approaches:

  • Close a case that has no ticket and wait until SCC reingests findings andassigns a new playbook to the case alerts.

  • Manually add a playbook to any alert in a case that was opened before youintegrated with a ticketing system.

Close a case with no ticket

To close a case that has no ticket, complete the following steps:

  1. In the Google Cloud console, go to Security Command Center.

    Go to Security Command Center

  2. In the navigation, clickRisk> Cases. TheCases pageopens in the Security Operations console.

  3. ClickOpen Filter. TheCase queue filter panelopens.

  4. In theCase queue filter, specify the following:

    1. In theTime Frame field, specify time period for open cases.
    2. SetLogical operator toAND.
    3. For the first value underLogical operator, selectTags.
    4. Set the condition toIS.
    5. For the second value, selectInternal-SCC-Ticket-Info.
    6. ClickApply to update cases in the case queue and show only thecases that match the filter you specified.

  5. From the case queue, select the case.

  6. In theCase view, selectClose Case. TheClose Case window opens.

  7. In theClose Case window, specify the following:

    1. Select a value for theReason field to state the reason for closingthe case.

    2. Select a value for theRoot Cause field to state the cause forclosing the case.

    3. Optional: Add a comment.

    4. ClickClose to close the case. Security Command Center thenreingests findings into a new case and automatically attaches a correctplaybook to them.

Manually add a playbook to an alert

To manually attach a playbook to an alert in an existing case, complete thefollowing steps:

  1. In the Google Cloud console, go to Security Command Center.

    Go to Security Command Center

  2. ClickRisk> Cases. TheCases page opens in theSecurity Operations console.

  3. ClickOpen Filter. TheCase queue filter panelopens.

  4. In theCase queue filter, specify the following:

    1. In theTime Frame field, specify time period for open cases.
    2. SetLogical operator toAND.
    3. For the first value underLogical operator, selectTags.
    4. Set the condition toIS.
    5. For the second value, selectInternal-SCC-Ticket-Info.
    6. ClickApply to update cases in the case queue and show only thecases that match the filter you specified.

  5. From the case queue, select the case.

  6. Select any alert contained in a case.

  7. In an alert view, go to thePlaybooks tab.

  8. Clickadd Add Playbook.TheAdd a Playbook window with a list of available playbooks appears.

  9. In the search field of theAdd a Playbook window, enterPosture Findings.

    • If you integrated with Jira, select thePosture Findings With Jiraplaybook.
    • If you integrated with ServiceNow, select thePosture Findings WithSNOW playbook.

  10. ClickAdd to add a playbook to an alert.

Upon completion, the playbook creates a ticket for a case and automaticallypopulates the ticket with information from the case.

Adding a playbook to a single alert within a case is sufficient to create aticket and trigger data synchronization.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-20 UTC.