Integrating Google Security Command Center (GSCC) with XSIAM

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Community Team Member

Title_Integration-GSCC-with-XSIAM_palo-alto-networks.jpg

This blog written by Daniel Ma.

 

Introduction

 

XSIAM (Extended Security Intelligence & Automation Management) is a platform that transforms how security operations teams operate by building an intelligent data foundation across an organization’s security infrastructure. XSIAM leverages machine learning, analytics, and automation to provide advanced threat detection and response capabilities. One of the key features of XSIAM is its integration with Google Cloud Platform (GCP), which enables customers to centralize visibility into security and compliance risks on GCP. By integrating XSIAM with Google Security Command Center (GSCC), customers can benefit from the following advantages:

 

  • Enhanced security for GCP resources and applications: Customers can monitor and protect their GCP resources, including compute, storage, networking, and identity, from a single console. They can also use the Connectors Framework and Reporting Connectors to ingest data from various sources and generate reports for security analysis. Additionally, they can leverage the AI-powered Identity Threat Detection and Response (ITDR) module ...
  • Enhanced security for workforce and world: Customers can monitor and protect their GCP users and applications from identity-driven attacks, such as credential theft, phishing, malware infection, and data exfiltration
  • Streamlined compliance management: Customers can use XSIAM to automate their compliance workflows and reduce the risk of non-compliance. They can leverage the Compliance Manager module to assess their compliance posture against industry standards and regulatory requirements, such as PCI DSS, HIPAA, and GDPR

 

How To

 

1. Setup Security Command Center configuration in GCP

    1. Enable the SCC service. SCC Premium is a paid service, you would need to subscribe to the service through the GCP console

Fig 1_Integration-GSCC-with-XSIAM_palo-alto-networks.png

              b. Setting up the Continuous Exports to export the findings through pub/sub to XSIAM

 

Fig 2_Integration-GSCC-with-XSIAM_palo-alto-networks.png

Configure the subscription for the findings export:

Fig 3_Integration-GSCC-with-XSIAM_palo-alto-networks.png

 

2. Go to XSIAM -> Marketplace, search for “Google Cloud SCC”

    1. Select Google Cloud SCC, it’s a content package with pre-configured integrations and alert mappingsFig 04_Integration-GSCC-with-XSIAM_palo-alto-networks.png

       

Fig 05_Integration-GSCC-with-XSIAM_palo-alto-networks.png

 

  1. Install the content pack by clicking “Install”
  2. Go to XSIAM -> Configuration -> Automation & Feed Integrations, you will see: Google Cloud SCC (Partner Contribution), add the configuration needed to integrate with SCC and fill out the information accordingly. For more information, you can refer to the Google Cloud SCC document.

Fig 6_Integration-GSCC-with-XSIAM_palo-alto-networks.png

 

View the Findings in XSIAM

 

1. You will find an automatically generated correlation rule by XSIAM:

 

Fig 7_Integration-GSCC-with-XSIAM_palo-alto-networks.png

 

2. When there is any new findings from SCC, you can see a generated incident:

 

Fig 8_Integration-GSCC-with-XSIAM_palo-alto-networks.png

 

3. Investigate the auto generated alert

In the Technical Information section, you can see the details of the alert, Go to the SCC findings through the finding_url in the section:

 

Fig 9_Integration-GSCC-with-XSIAM_palo-alto-networks.png

 

Go to War Room to get more details of the alert:

 

Fig 10_Integration-GSCC-with-XSIAM_palo-alto-networks.png

 

Or, you can run a command directly in the War Room to get additional information directly from SCC through the integration:

 

Fig 11_Integration-GSCC-with-XSIAM_palo-alto-networks.png

 

Available commands including:

 

  • google-cloud-scc-asset-owner-get

Gets the owner information for the provided projects

 

  • google-cloud-scc-asset-resource-list

Lists cloud asset's resources

 

  • google-cloud-scc-finding-list

Lists an organization or source's findings

 

  • google-cloud-scc-finding-state-update

Update the state of organization's or source's finding

 

  • google-cloud-scc-finding-update

Update an organization's or source's finding

 

4. You can apply an automation rule to remediate the findings, or more interactive actions through apply playbook in the XSIAM:

 

Fig 12_Integration-GSCC-with-XSIAM_palo-alto-networks.png

 

  • 775 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Labels
Top Liked Authors