Overview
About Google Security Command Center
Google Security Command Center helps you strengthen your security posture by evaluating your security and data attack surface; providing asset inventory and discovery; identifying misconfigurations, vulnerabilities, and threats; and helping you mitigate and remediate risks
Why integrate Google Security Command Center into the Vulcan platform?
The Google Security Command Center Connector by Vulcan integrates with the Google Security Command Center platform to pull and ingest assets type hosts, images, and cloud resources, as well as vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.
Google Security Command Center Connector Details
Supported products | |
Category | Cloud |
Ingested asset type(s) | Hosts Images Cloud Resources |
Integration type | UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction) |
Supported version and type | SaaS (latest) |
Connector Setup
Prerequisites and user permissions
Before you begin configuring the Connector, make sure you have the following:
Google Security Command Center API User with the following permissions:
Security Center Assets Viewer
Security Center Findings Viewer
See Create access credentials | Google Workspace | Google for Developers for the source of this section. Also, see IAM for organization-level activations | Security Command Center | Google Cloud for additional information about permissions.
Generating JSON Keyfile
In the Google Cloud console, go to Menu menu > IAM & Admin > Service Accounts.
Click Create service account.
Fill in the service account details, then click Create and continue.
Assign the following roles to the service account:
Security Center Assets Viewer
Security Center Findings Viewer
Click Continue.
Click Done.
Select your service account.
Click Keys > Add key > Create new key.
Select JSON, then click Create.
The new public/private key pair is generated and downloaded to your machine as a new file. Make sure to save it in JSON format.
Click Close.
Configuring the Google Security Command Center Connector
Log in to your Vulcan Cyber dashboard and go to Connectors.
Click on Add a Connector.
Click on the Google Security Command Center icon.
Set up the Connector as follows:
For JSON Keyfile, browse to upload the JSON key file you generated earlier.
For Projects, click Load Projects and select the relevant projects to sync the connector with.
(Optional )Check the "Fetch misconfiguration findings" checkbox to retrieve misconfiguration findings from the Google Security Command Center into the Vulcan Platform.
Example:
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Google Security Command Center instance, then click Create (or Save Changes).
Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.
Allow some time for the sync to complete. Then, you can review the sync status under Log on the Connector's setup page.
To confirm the sync is complete, navigate to the Connectors page. Once the Google Security Command Center icon shows Connected, the sync is complete.
Google Security Command Center in the Vulcan Platform
Viewing Google Security Command Center vulnerabilities in the Vulcan Platform
To view vulnerabilities by Connector/Source:
Go to the Vulnerabilities page.
Use the Search or Filter input box to select the Vulnerability Source or Connector filter.
Select Google Security Command Center from the vulnerability source/Connector list to filter results.
Click on any vulnerability for more vulnerability details.
Viewing Google Security Command Center assets in the Vulcan Platform
To view assets by Connector/Source:
Go to the Assets page.
Click on the relevant asset type tab.
Use the Search or filter input box to select Connector from the drop-down selection.
Select Google Security Command Center from the Asset source/Connector list to filter results and view all synced assets.
See the complete list of available asset filters per asset type
Taking Action on vulnerabilities and assets detected by Google Security Command Center
To take remediation action on vulnerabilities and assets detected by Google Security Command Center:
Go to Vulnerabilities / Assets Page.
Click on the Search and Filter input box and select Connector from the drop-down selection.
Locate the Google Security Command (GCC) option to view all synced vulnerabilities/assets.
Select the relevant Vulnerability/Asset.
Click Take Action.
Automating remediation actions on vulnerabilities detected by Google Security Command Center
Large environments quickly become unmanageable if constant manual attention and effort are necessary to remediate vulnerabilities. You can take advantage of the automation capabilities of Vulcan Cyber and the Google Security Command Center Connector.
From Google Security Command Center to the Vulcan Platform - Data Mapping
The Vulcan Platform integrates with Google Security Command Center through API to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform pages and fields.
Host fields mapping
Google Security Command Center field | Vulcan field |
asset.securityCenterProperties.resourceName | Asset uniqueness criteria |
resourceDisplayName OR last section of resourceName (delimited by /) | Asset Name |
resourceName | Asset Details |
Host | Asset Type |
networkInterfaces | Asset IP |
createTime | Asset Created date |
lifecycleState | Asset Status |
resourceProjectDisplayName, labels, tags, resourceOwners, zone, resourceFolderDisplayName | Asset Tags - Vendor’s tags |
vulnerability.cve.id (vulnerabilities) OR parentDisplayName + description (misconfigurations) | Vulnerability uniqueness criteria |
vulnerability.cve.id (vulnerabilities) OR parentDisplayName (misconfiguration) | Vulnerability Title |
description | Vulnerability Description |
finding_class parentDisplayName category | Vulnerability Details |
vulnerability.cve.cvssv3.baseScore
Fallback: severity (using the logic described in the Vulnerability Score Mapping section) | Vulnerability CVSS |
finding.vulnerability.cve.id | Vulnerability CVE/S |
asset id + name + vulnerability id | Asset-Vulnerability connection uniqueness criteria |
createTime | Asset-Vulnerability connection First seen |
eventTime | Asset-Vulnerability connection Last seen |
vulnerability.cve.cvssv3.baseScore, Fallback: severity (using the logic described in the Vulnerability Score Mapping section) | Asset-Vulnerability connection Score |
state and mute (using the logic described in the Vulnerability Status Mapping section) | Asset-Vulnerability connection Status |
finding_canonical_name finding_external_uri finding_securitymarks_name finding_severity finding_compliances | Asset-Vulnerability connection Info tooltip (from Assets screen) |
Explanation + ExceptionInstructions | Solution uniqueness criteria |
Fix from Google Security Command Center | Solution Title |
Explanation + ExceptionInstructions | Solution Description |
Image fields mapping
Google Security Command Center field | Vulcan field |
asset.securityCenterProperties.resourceName | Asset uniqueness criteria |
resourceDisplayName OR last section of resourceName (delimited by /) | Asset Name |
resourceName | Asset Details |
Image | Asset Type |
Images (for ‘google.compute.Image') OR Registry (for 'google.containerregistry.Image’) | Asset Repository |
lifecycleState | Asset Status |
resourceDisplayName, resourceProjectDisplayName, labels, resourceOwners, resourceFolderDisplayName | Asset Tags - Vendor’s tags |
asset.securityCenterProperties.resourceName | Asset Tags - Additional |
vulnerability.cve.id (vulnerabilities) OR parentDisplayName + description (misconfigurations) | Vulnerability uniqueness criteria |
vulnerability.cve.id (vulnerabilities) OR parentDisplayName (misconfigurations | Vulnerability Title |
description | Vulnerability Description |
finding_class parentDisplayName category | Vulnerability Details |
vulnerability.cve.cvssv3.baseScore Fallback: Severity (using the logic described in the Vulnerability Score Mapping section) | Vulnerability CVSS |
finding.vulnerability.cve.id | Vulnerability CVE/S |
asset id + name + vulnerability id | Asset-Vulnerability connection uniqueness criteria |
createTime | Asset-Vulnerability connection First seen |
eventTime | Asset-Vulnerability connection Last seen |
vulnerability.cve.cvssv3.baseScore Fallback: Severity (using the logic described in the Vulnerability Score Mapping section) | Asset-Vulnerability connection Score |
state and mute (using the logic described in the Vulnerability Status Mapping section) | Asset-Vulnerability connection Status |
finding_canonical_name finding_external_uri finding_securitymarks_name finding_severity finding_compliances | Asset-Vulnerability connection Info tooltip (from Assets screen) |
Explanation + ExceptionInstructions | Solution uniqueness criteria |
Fix from Google Security Command Center | Solution Title |
Explanation + ExceptionInstructions | Solution Description |
Cloud Resource fields mapping
Google Security Command Center field | Vulcan field |
asset.securityCenterProperties.resourceName | Asset uniqueness criteria |
resourceDisplayName OR last section of resourceName (delimited by /) | Asset Name |
resourceName | Asset ID |
Asset Cloud (provider) | |
resourceName | Asset Details |
Cloud resource | Asset Type |
createTime | Asset Created date |
lifecycleState | Asset Status |
resourceProjectDisplayName, resourceOwners, resourceFolderDisplayName | Asset Tags - Vendor’s tags |
vulnerability.cve.id (vulnerabilities) OR parentDisplayName + description (misconfigurations) | Vulnerability uniqueness criteria |
vulnerability.cve.id (vulnerabilities) OR parentDisplayName (misconfigurations | Vulnerability Title |
description | Vulnerability Description |
finding_class parentDisplayName category | Vulnerability Details |
vulnerability.cve.cvssv3.baseScore Fallback: Severity (using the logic described in the Vulnerability Score Mapping section) | Vulnerability CVSS |
finding.vulnerability.cve.id | Vulnerability CVE/S |
asset id + name + vulnerability id | Asset-Vulnerability connection uniqueness criteria |
createTime | Asset-Vulnerability connection First seen |
eventTime | Asset-Vulnerability connection Last seen |
vulnerability.cve.cvssv3.baseScore Fallback: Severity (using the logic described in the Vulnerability Score Mapping section) | Asset-Vulnerability connection Score |
state and mute (using the logic described in the Vulnerability Status Mapping section) | Asset-Vulnerability connection Status |
finding_canonical_name finding_external_uri finding_securitymarks_name finding_severity finding_compliances | Asset-Vulnerability connection Info tool tip (from Assets screen) |
Explanation + ExceptionInstructions | Solution uniqueness criteria |
Fix from Google Security Command Center | Solution Fix Title |
Explanation + ExceptionInstructions | Solution Description |
Vulnerability status mapping
Google Security Command Center Status | Vulcan Status |
state in [ACTIVE, STATE_UNSPECIFIED] AND mute != MUTED | Vulnerable |
state == INACTIVE | Fixed |
mute == MUTED AND state != INACTIVE | Ignored risk acknowledged |
Vulnerability score mapping
Google Security Command Center score | Vulcan score |
Critical | 10 |
High | 7 |
Medium | 5 |
Low | 3 |
SEVERITY_UNSPECIFIED | 0 |
Status Update Mechanisms
Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any added).
The table below lists how the status update mechanism works in the Google Security Command Center connector for the vulnerabilities and assets in the Vulcan Platform.
Update type in Vulcan | Mechanism (When?) |
The asset is archived | - Asset not found on the connector's last sync - Asset not seen for X days according to "Last Seen". - Asset status on the connector's side indicates irrelevancy. |
The vulnerability instance status changes to "Fixed" | - If the vulnerability no longer appears in the scan findings. - Vulnerability status on the connector's side indicates irrelevancy (e.g., "INACTIVE").
|
Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).
API Endpoints in Use
API version: 1.0
Revision: 20230515
API | Use in Vulcan | Permissions required |
User choice of which projects to retrieve data from | Security Center Assets Viewer | |
Assets | Security Center Assets Viewer | |
Vulnerabilities and asset-vulnerability connections | Security Center Findings Viewer |