Google Security Command Center Event Source
The Google Cloud Platform (GCP) Security Command Center (SCC) is Google’s built-in security and vulnerability detection solution. It monitors your GCP environment to detect threats such as compromised identities (meshing with IAM), data exfiltration, and misconfigurations. Health Analytics and Web Security Scanner detectors generate vulnerability findings that are available in the SCC. When they are turned on in the SCC, integrated services like VM Manager also generate vulnerability findings.
SCC findings model the potential security risks of assets in a project or an organization. A finding always relates to a specific asset in SCC. The event types that InsightIDR can parse from this event source are Google SCC findings.
You can send data from your Google SCC to InsightIDR through the Cloud.
To set up the Google SCC event source:
- Read the requirements and complete any prerequisite steps.
- Configure InsightIDR to collect data from the event source.
- Test the configuration.
You can also:
Requirements
Before you start the configuration:
- Activate the Security Command Center for your Organization.
- Create a service account inside the Project you want to collect events on and give it the
Viewer
role. - In the same project you created a service account, enable the Security Command Center API.
- Create a Key for the service account and download the JSON output.
- You'll need information from the Key to complete event source configuration and you can only download the JSON just after creating the Key.
- Grant the service account (principal) the
Security Center Findings Viewer
role for the Organization.- This allows Rapid7 to collect Security Command Center findings across your entire Organization.
Visit the third-party vendor's documentation
For the most accurate information, we recommend that you visit the third-party vendor's product documentation:
- Activate the Security Command Center for an Organization: https://cloud.google.com/security-command-center/docs/activate-scc-for-an-organization
- Create a service account: https://cloud.google.com/iam/docs/service-accounts-create
- Create a key for a service account: https://cloud.google.com/iam/docs/keys-create-delete#creating
- Enable the Security Command Center API for a Project: https://cloud.google.com/endpoints/docs/openapi/enable-api#console
- Grant a service account (principal) an Organization role: https://cloud.google.com/iam/docs/granting-changing-revoking-access#grant-single-role
Configure InsightIDR to collect data from the event source
After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.
Service account and API configured?
Before the event source is created, it's important that, for a given GCP project, you have created a service account and verified the Security Command Center API is enabled.
Task 1: Select Google Cloud Platform Security Command Center
- Go to Data Collection and click Setup Event Source > Add Event Source.
- Do one of the following:
- Search for Google in the event sources search bar.
- In the Product Type filter, select Third Party Alerts.
- Select the Google Cloud Platform Security Command Center event source tile.
Task 2: Set up your collection method
You can collect data from Google SCC through a cloud connection.
- Name the event source. This will become the name of the log that contains the event data in Log Search.
- Optionally, select the option to send unparsed data.
- Click Add a New Connection.
- In the Create a Cloud Connection screen, enter a name for the new connection.
- In the Organization ID field, enter the GCP Organization ID for the Organization you are collecting events from.
- In the Private Key ID field, enter the
private_key_id
value that you obtained from the Key attached to the Service Account you created before getting started. - In the Client Email field, enter the
client_email
value that you obtained from the Key attached to the Service Account you created before getting started. - In the Client ID field, enter the
client_id
value that you obtained from the Key attached to the Service Account you created before getting started. - In the Client X509 Cert URL field, enter the
client_x509_cert_url
value that you obtained from the Key attached to the Service Account you created before getting started. - Optionally, edit the Auth URI, Token URI, and Auth Provider X509 Cert URL fields if the values are different from the Key attached to the Service Account you created before getting started.
- In the Select Credential field, add a new credential:
- Click Add Credential.
- Name your credential.
- Describe your credential.
- Enter the Private Key that you obtained from the Key attached to the Service Account you created before getting started.
- Select the Product Access for the credential.
- Click Save & Test Connection.
- Optionally, provide a Java-style regex expression to filter out unwanted data.
- Click Save.
Test the configuration
The event types that InsightIDR parses from this event source are Google SCC findings.
To test that event data is flowing into InsightIDR:
- From the Data Collection Management page, open the Event Sources tab.
- Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to the Collector.
- Wait approximately 7 minutes, then open Log Search.
Next, verify that log entries are appearing in Log Search:
- From the left menu, go to Log Search.
- In the Log Search filter panel, search for the event source you named in step 4 of Configure InsightIDR to collect data from the event source. Google Cloud Platform Security Command Center logs should flow into the Third Party Alerts log set.
- Select the log sets and the logs within them.
- Set the time range to Last 10 minutes and click Run.
The Results table displays all events that flowed into InsightIDR in the last 10 minutes. Pay attention to the keys and values that are displayed, which are helpful when you want to build a query and search your logs.
Sample logs
In Log Search, the log that is generated uses the name of your event source by default. The log appears under the Third Party Alerts log set. Here is a typical raw log entry that is created by the event source:
json
1{2"finding": {3"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",4"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",5"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",6"state": "ACTIVE",7"category": "Malware: Cryptomining Bad Domain",8"sourceProperties": {9"sourceId": {10"projectNumber": "PROJECT_NUMBER",11"customerOrganizationNumber": "ORGANIZATION_ID"12},13"detectionCategory": {14"technique": "cryptomining",15"indicator": "domain",16"ruleName": "bad_domain",17"subRuleName": "cryptomining"18},19"detectionPriority": "LOW",20"affectedResources": [21{22"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"23}24],25"evidence": [26{27"sourceLogId": {28"projectId": "PROJECT_ID",29"resourceContainer": "projects/PROJECT_ID",30"timestamp": {31"seconds": "1636566099",32"nanos": 54148384933},34"insertId": "INSERT_ID"35}36}37],38"properties": {39"domains": [40"DOMAIN"41],42"instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",43"network": {44"project": "PROJECT_ID",45"location": "ZONE"46},47"dnsContexts": [48{49"authAnswer": true,50"sourceIp": "SOURCE_IP_ADDRESS",51"queryName": "DOMAIN",52"queryType": "A",53"responseCode": "NXDOMAIN"54}55],56"vpc": {57"vpcName": "default"58}59},60"findingId": "FINDING_ID",61"contextUris": {62"mitreUri": {63"displayName": "MITRE Link",64"url": "https://attack.mitre.org/techniques/T1496/"65},66"virustotalIndicatorQueryUri": [67{68"displayName": "VirusTotal Domain Link",69"url": "https://www.virustotal.com/gui/domain/DOMAIN/detection"70}71],72"cloudLoggingQueryUri": [73{74"displayName": "Cloud Logging Query Link",75"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222021-11-10T17:41:39.541483849Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"76}77],78"relatedFindingUri": {}79}80},81"securityMarks": {82"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"83},84"eventTime": "2021-11-10T17:41:41.594Z",85"createTime": "2021-11-10T17:41:42.014Z",86"severity": "LOW",87"workflowState": "NEW",88"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",89"mute": "UNDEFINED",90"findingClass": "THREAT",91"indicator": {92"domains": [93"DOMAIN"94]95}96},97"resource": {98"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",99"projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",100"projectDisplayName": "PROJECT_ID",101"parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",102"parentDisplayName": "PARENT_NAME",103"type": "google.cloud.resourcemanager.Project",104"displayName": "PROJECT_ID"105}106}