This blog written by Daniel Ma.

Introduction

XSIAM (Extended Security Intelligence & Automation Management) is a platform that transforms how security operations teams operate by building an intelligent data foundation across an organization’s security infrastructure. XSIAM leverages machine learning, analytics, and automation to provide advanced threat detection and response capabilities. One of the key features of XSIAM is its integration with Google Cloud Platform (GCP), which enables customers to centralize visibility into security and compliance risks on GCP. By integrating XSIAM with Google Security Command Center (GSCC), customers can benefit from the following advantages:

• Enhanced security for GCP resources and applications: Customers can monitor and protect their GCP resources, including compute, storage, networking, and identity, from a single console. They can also use the Connectors Framework and Reporting Connectors to ingest data from various sources and generate reports for security analysis. Additionally, they can leverage the AI-powered Identity Threat Detection and Response (ITDR) module ...
• Enhanced security for workforce and world: Customers can monitor and protect their GCP users and applications from identity-driven attacks, such as credential theft, phishing, malware infection, and data exfiltration
• Streamlined compliance management: Customers can use XSIAM to automate their compliance workflows and reduce the risk of non-compliance. They can leverage the Compliance Manager module to assess their compliance posture against industry standards and regulatory requirements, such as PCI DSS, HIPAA, and GDPR

How To

1. Setup Security Command Center configuration in GCP

1. Enable the SCC service. SCC Premium is a paid service, you would need to subscribe to the service through the GCP console

              b. Setting up the Continuous Exports to export the findings through pub/sub to XSIAM

Configure the subscription for the findings export:

2. Go to XSIAM -> Marketplace, search for “Google Cloud SCC”

1. Select Google Cloud SCC, it’s a content package with pre-configured integrations and alert mappings

    

1. Install the content pack by clicking “Install”
2. Go to XSIAM -> Configuration -> Automation & Feed Integrations, you will see: Google Cloud SCC (Partner Contribution), add the configuration needed to integrate with SCC and fill out the information accordingly. For more information, you can refer to the Google Cloud SCC document.

View the Findings in XSIAM

1. You will find an automatically generated correlation rule by XSIAM:

2. When there is any new findings from SCC, you can see a generated incident:

3. Investigate the auto generated alert

In the Technical Information section, you can see the details of the alert, Go to the SCC findings through the finding_url in the section:

Go to War Room to get more details of the alert:

Or, you can run a command directly in the War Room to get additional information directly from SCC through the integration:

Available commands including:

• google-cloud-scc-asset-owner-get

Gets the owner information for the provided projects

• google-cloud-scc-asset-resource-list

Lists cloud asset's resources

• google-cloud-scc-finding-list

Lists an organization or source's findings

• google-cloud-scc-finding-state-update

Update the state of organization's or source's finding

• google-cloud-scc-finding-update

Update an organization's or source's finding

4. You can apply an automation rule to remediate the findings, or more interactive actions through apply playbook in the XSIAM: