+8For SCCE customers, there’s a a SOAR SCC Enterprise Response Integration that can be used for ingesting Toxic Combination findings and syncing their status. What should I use if I have SCCP and SecOps? I can’t find the SCC Enterprise integration on the Marketplace. I can’t also import it from another instance.
A detection rule in SIEM would be the easiest way to go but it looks like a new log is written in SIEM every time the toxic combination finding is updated by SCC engine.
Any suggestions?
Best answer by kentphelps
Google Security Command Center: Version 14.0
Added the ability to ingest Toxic Combinations and Chokepoints in the following connector:
+11If you want to send findings from SCC Premium to Stand Alone SecOps SOAR here are a few guides that can help:
Send Security Command Center data to Google Security Operations SOAR
Enable finding notifications for Pub/Sub
Integrate Pub/Sub with Google SecOps
Integrate Security Command Center with Google SecOps
+8
+11If you go under Findings do you see Toxic Combinations and Chokepoints under Quick Filters for Finding Class?
+11The SOAR connector had not been updated to include the new classes. I opened a ticket to get the product team to update the connector. I am afraid I do not have a time frame for that.
+11
Google Security Command Center: Version 14.0
Added the ability to ingest Toxic Combinations and Chokepoints in the following connector:
+12With the update you should see all of the categories flowing into SecOps now. Here’s a basic query to show the different log types that are being ingested for SCC:
metadata.product_name = "Security Command Center"
match:
metadata.log_type
outcome:
$event_count = count(metadata.id)
YMMV:
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.