Google Security Command Center
  • 08 Dec 2024
  • 2 Minutes to read
  • Contributors
  • Dark
    Light

Google Security Command Center

  • Dark
    Light

Article summary

Security Command Center is Google Cloud's centralized vulnerability and threat reporting service. Security Command Center helps you strengthen your security posture by evaluating your security and data attack surface; providing asset inventory and discovery; identifying misconfigurations, vulnerabilities and threats; and helping you mitigate and remediate risks.

Integration Method: API

Tables: Compliance Finding, Detection Finding, Vulnerability Finding

This integration has been tested against the Security Command Center API v2.

Google Security Command Center Configuration

  1. Login to your Google Cloud Platform console.

  2. Ensure that the plan activation of Google Security Command Center is done on the organization level. For step-by-step instructions on enabling and configuring Security Command Center for an organization, see one of the following:

    1. Activate the Security Command Center Standard or Premium tier for an organization

    2. Activate the Security Command Center Enterprise tier

  3. After ensuring that the Google SCC service is activated on an organization-level, we need to get the service account's credentials for accessing the service via REST calls.

  4. To generate service-account credentials, or to view the public credentials that you've already generated, do the following:

First, create a service account:

  • Open the Service accounts page

  • If prompted, select a project, or create a new one.

  • Click add Create service account.

  • Under Service account details, type a name, ID, and description for the service account, then click Create and continue.

  • Click Done.

Next, create a service account key:

  • Click the email address for the service account you created.

  • Click the Keys tab.

  • In the Add key drop-down list, select Create new key.

  • Click Create.

  • Your new public/private key pair is generated and downloaded to your machine; it serves as the only copy of the private key. You are responsible for storing it securely. If you lose this key pair, you will need to generate a new one.

  • To assign roles to the newly created service account, follow below steps:

    • Go to the Google Cloud Console: Open Google Cloud Console.

    • In the left-hand navigation pane, click on "IAM & Admin".

    • Then select "IAM".

    • Ensure you have selected the correct organization from the project/organization selector at the top of the page.

    • Click on the "Add" button at the top of the IAM page.

  • In the "New members" field, enter the email address of the service account you created.

  • In the "Select a role" dropdown, choose the appropriate role(s) you want to assign to the service account. You can search for roles or browse through the categories. The roles mentioned below are the minimum required roles for accessing Google SCC API.

    • Organization Admin

    • Security Center Admin Viewer

  • Click the "Save" button to apply the role to the service account.

DataBee Configuration

  1. Log into the DataBee console, navigate to Data > Data sources and click on the Add New Data Source button

  1. Search for the Google Security Command Center option using the search bar in the Add New Data Source page.

  1. Select the API Ingest option and enter appropriate details in the Configure Data source form. After that click on Next button.

  1. In the configuration details dialog, enter the following:

    • Authorization Method: Google OAuth2

    • API Base URL: Replace the <instance> placeholder with value based on the location of your GCP account as listed below.

      1. global: securitycenter

      2. me-central-2: securitycenter.me-central2.rep

    • Organization ID: Enter the org id. Refer to link for more information.

    • Token URL: Enter https://oauth2.googleapis.com/token

    • Private Key:  Paste the private key inside the Service Account JSON file downloaded earlier.

    • Client Email: Enter the email address during the service account creation process

    • Example:

    • Correct Format: MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAA

    • Incorrect Format: -----BEGIN PRIVATE KEY----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAA\n-----END PRIVATE KEY-----\n

    • Admin Email: Enter the email address of the user for which the application is requesting delegated access. If there is no domain-wide authority delegated to the service account, enter the same email as entered in Client Email field.

  1. Click Submit


Was this article helpful?

What's Next
Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Eddy AI, facilitating knowledge discovery through conversational intelligence