Google Security Command Center Event Source

The Google Cloud Platform (GCP) Security Command Center (SCC) is Google’s built-in security and vulnerability detection solution. It monitors your GCP environment to detect threats such as compromised identities (meshing with IAM), data exfiltration, and misconfigurations. Health Analytics and Web Security Scanner detectors generate vulnerability findings that are available in the SCC. When they are turned on in the SCC, integrated services like VM Manager also generate vulnerability findings.

SCC findings model the potential security risks of assets in a project or an organization. A finding always relates to a specific asset in SCC. The event types that InsightIDR can parse from this event source are Google SCC findings.

You can send data from your Google SCC to InsightIDR through the Cloud.

To set up the Google SCC event source:

  1. Read the requirements and complete any prerequisite steps.
  2. Configure InsightIDR to collect data from the event source.
  3. Test the configuration.

You can also:

Requirements

Before you start the configuration:

  • Enable the Security Command Center API for the Organization and Project you want to collect events on.
  • Create a service account inside the Project you want to collect events on and give it the Owner role.
  • Create a Key for the service account and download the JSON output.
    • You'll need information from the Key to complete event source configuration and you can only download the JSON just after creating the Key.
  • Grant the service account (principal) the Security Center Findings Viewer role for the Organization.

Visit the third-party vendor's documentation

For the most accurate information, we recommend that you visit the third-party vendor's product documentation:

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

Task 1: Select Google Cloud Platform Security Command Center

  1. Go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Google in the event sources search bar.
    • In the Product Type filter, select Third Party Alerts.
  3. Select the Google Cloud Platform Security Command Center event source tile.

Task 2: Set up your collection method

You can collect data from Google SCC through a cloud connection.

  1. Name the event source. This will become the name of the log that contains the event data in Log Search.
  2. Optionally, select the option to send unparsed data.
  3. Click Add a New Connection.
  4. In the Create a Cloud Connection screen, enter a name for the new connection.
  5. In the Organization ID field, enter the GCP Organization ID for the Organization you are collecting events from.
  6. In the Private Key ID field, enter the private_key_id value that you obtained from the Key attached to the Service Account you created before getting started.
  7. In the Client Email field, enter the client_email value that you obtained from the Key attached to the Service Account you created before getting started.
  8. In the Client ID field, enter the client_id value that you obtained from the Key attached to the Service Account you created before getting started.
  9. In the Client X509 Cert URL field, enter the client_x509_cert_url value that you obtained from the Key attached to the Service Account you created before getting started.
  10. Optionally, edit the Auth URI, Token URI, and Auth Provider X509 Cert URL fields if the values are different from the Key attached to the Service Account you created before getting started.
  11. In the Select Credential field, add a new credential:
    • Click Add Credential.
    • Name your credential.
    • Describe your credential.
    • Enter the Private Key that you obtained from the Key attached to the Service Account you created before getting started.
    • Select the Product Access for the credential.
  12. Click Save & Test Connection.
  13. Optionally, provide a Java-style regex expression to filter out unwanted data.
  14. Click Save.

Test the configuration

The event types that InsightIDR parses from this event source are Google SCC findings.

To test that event data is flowing into InsightIDR:

  1. From the Data Collection Management page, open the Event Sources tab.
  2. Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to the Collector.
  3. Wait approximately 7 minutes, then open Log Search.

Next, verify that log entries are appearing in Log Search:

  1. From the left menu, go to Log Search.
  2. In the Log Search filter panel, search for the event source you named in step 4 of Configure InsightIDR to collect data from the event source. Google Cloud Platform Security Command Center logs should flow into the Third Party Alerts log set.
  3. Select the log sets and the logs within them.
  4. Set the time range to Last 10 minutes and click Run.

The Results table displays all events that flowed into InsightIDR in the last 10 minutes. Pay attention to the keys and values that are displayed, which are helpful when you want to build a query and search your logs.

Sample logs

In Log Search, the log that is generated uses the name of your event source by default. The log appears under the Third Party Alerts log set. Here is a typical raw log entry that is created by the event source:

json
1
{
2
"finding": {
3
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
4
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
5
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
6
"state": "ACTIVE",
7
"category": "Malware: Cryptomining Bad Domain",
8
"sourceProperties": {
9
"sourceId": {
10
"projectNumber": "PROJECT_NUMBER",
11
"customerOrganizationNumber": "ORGANIZATION_ID"
12
},
13
"detectionCategory": {
14
"technique": "cryptomining",
15
"indicator": "domain",
16
"ruleName": "bad_domain",
17
"subRuleName": "cryptomining"
18
},
19
"detectionPriority": "LOW",
20
"affectedResources": [
21
{
22
"gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER"
23
}
24
],
25
"evidence": [
26
{
27
"sourceLogId": {
28
"projectId": "PROJECT_ID",
29
"resourceContainer": "projects/PROJECT_ID",
30
"timestamp": {
31
"seconds": "1636566099",
32
"nanos": 541483849
33
},
34
"insertId": "INSERT_ID"
35
}
36
}
37
],
38
"properties": {
39
"domains": [
40
"DOMAIN"
41
],
42
"instanceDetails": "/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID",
43
"network": {
44
"project": "PROJECT_ID",
45
"location": "ZONE"
46
},
47
"dnsContexts": [
48
{
49
"authAnswer": true,
50
"sourceIp": "SOURCE_IP_ADDRESS",
51
"queryName": "DOMAIN",
52
"queryType": "A",
53
"responseCode": "NXDOMAIN"
54
}
55
],
56
"vpc": {
57
"vpcName": "default"
58
}
59
},
60
"findingId": "FINDING_ID",
61
"contextUris": {
62
"mitreUri": {
63
"displayName": "MITRE Link",
64
"url": "https://attack.mitre.org/techniques/T1496/"
65
},
66
"virustotalIndicatorQueryUri": [
67
{
68
"displayName": "VirusTotal Domain Link",
69
"url": "https://www.virustotal.com/gui/domain/DOMAIN/detection"
70
}
71
],
72
"cloudLoggingQueryUri": [
73
{
74
"displayName": "Cloud Logging Query Link",
75
"url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222021-11-10T17:41:39.541483849Z%22%0AinsertId%3D%22INSERT_ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
76
}
77
],
78
"relatedFindingUri": {}
79
}
80
},
81
"securityMarks": {
82
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
83
},
84
"eventTime": "2021-11-10T17:41:41.594Z",
85
"createTime": "2021-11-10T17:41:42.014Z",
86
"severity": "LOW",
87
"workflowState": "NEW",
88
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
89
"mute": "UNDEFINED",
90
"findingClass": "THREAT",
91
"indicator": {
92
"domains": [
93
"DOMAIN"
94
]
95
}
96
},
97
"resource": {
98
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
99
"projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
100
"projectDisplayName": "PROJECT_ID",
101
"parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
102
"parentDisplayName": "PARENT_NAME",
103
"type": "google.cloud.resourcemanager.Project",
104
"displayName": "PROJECT_ID"
105
}
106
}