Skip to main content
Solved

How to ingest Chokepoint findings from SCCE into SecOps?

  • March 13, 2025
  • 3 replies
  • 16 views
ar3diu
Forum|alt.badge.img+8

It looks like they are not collected in neither SIEM or SOAR by default. Any idea?

https://cloud.google.com/security-command-center/docs/reference/rest/v2/IssueType

Best answer by _K_O

Thanks for the explanation! So, there are several exports configured and I can't figure out which one goes to SecOps. Any idea how to figure that out? Because that could point me to the filter that should also contain finding_class="CHOKEPOINT"

 


My best guess is that it's the ones that start with SOAR_Connector: 

That being said, you may need to reach out to your TAM to confirm which ones were set up for your project. I only have two available so I'd probably just modify both. 

 

    3 replies

    _K_O
    Forum|alt.badge.img+12
    • _K_OBronze 5
    • Bronze 5
    • March 13, 2025

    Within the Risk Overview Setting Page, there are pub subs which push the events from SCCE to SecOps SIEM/SOAR:

     

    If you look into the different connectors & jobs, you'll see the event types that are being pushed from SCCE. By default, it looks like a few finding classes are not included. (This doesn't account for the Threat finding_class though which confuses me).

    My assumption is that you would need to add the Chokepoint finding class to those queries:

     

    finding_class="CHOKEPOINT"

     

     

    ar3diu
    Forum|alt.badge.img+8
    • ar3diuSilver 2
    • Author
    • Silver 2
    • March 14, 2025

    Within the Risk Overview Setting Page, there are pub subs which push the events from SCCE to SecOps SIEM/SOAR:

     

    If you look into the different connectors & jobs, you'll see the event types that are being pushed from SCCE. By default, it looks like a few finding classes are not included. (This doesn't account for the Threat finding_class though which confuses me).

    My assumption is that you would need to add the Chokepoint finding class to those queries:

     

    finding_class="CHOKEPOINT"

     

     


    Thanks for the explanation! So, there are several exports configured and I can't figure out which one goes to SecOps. Any idea how to figure that out? Because that could point me to the filter that should also contain finding_class="CHOKEPOINT"

     

    _K_O
    Forum|alt.badge.img+12
    • _K_OBronze 5
    • Bronze 5
    • Answer
    • March 14, 2025

    Thanks for the explanation! So, there are several exports configured and I can't figure out which one goes to SecOps. Any idea how to figure that out? Because that could point me to the filter that should also contain finding_class="CHOKEPOINT"

     


    My best guess is that it's the ones that start with SOAR_Connector: 

    That being said, you may need to reach out to your TAM to confirm which ones were set up for your project. I only have two available so I'd probably just modify both. 

     

    Terms & ConditionsCookie settingsAccessibility statement
    Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

    © 2025 Google. All rights reserved.