Integrate Security Command Center with Google SecOps

This document explains how to integrate Security Command Center with Google Security Operations (Google SecOps).

Integration version: 13.0

Before you begin

To use the integration, you need a custom Identity and Access Management (IAM) role and a Google Cloud service account. You can use an existing service account or create a new one.

Create and configure an IAM role

To create and configure a custom IAM role for the integration, complete the following steps:

In the Google Cloud console, go to the IAM Roles page.

Go to Roles
Click Create role to create a custom role with permissions required for the integration.
For a new custom role, enter a Title, Description, and unique ID.
Set the Role Launch Stage to General Availability.
Add the following permissions to the created role:
- securitycenter.assets.list
- securitycenter.findings.list
- securitycenter.findings.setMute
- securitycenter.findings.setState

Create and configure an API key

To create the API key, complete the following steps:

In the Google Cloud console, go to APIs & Services > Credentials.
Click Create Credentials.
Select API key. A dialog appears with a generated API key. Copy the API key and store it securely.

To configure the API restriction for the API key, complete the following steps:

Click Restrict key.
Under API restrictions, select Restrict key.
Select Security Command Center API from the API list.
Configure the applicable restrictions.
Click Save to save the API key configuration.

Grant access to the API key

To grant Security Command Center access to your API key, complete the following steps:

In the Google Cloud console, go to IAM & Admin > Service accounts.
Select the service account which you use in the Security Command Center integration.
Click the service account's email address.
Select Grant access.
In the New members field, enter the service account's email address.
Under Security Center, select the Security Center Viewer role.
Click Save.

Integration parameters

The Security Command Center integration requires the following parameters:

Parameter	Description
`API Root`	Required. The API root of the Security Command Center instance.
`Organization ID`	Optional. The organization ID of to use in the Security Command Center integration.
`Project ID`	Optional. The project ID of the Security Command Center instance.
`Quota Project ID`	Optional. The Google Cloud project ID that you use for Google Cloud APIs and billing. This parameter requires you to grant the `Service Usage Consumer` role to your service account. If you don't set a value for this parameter, the integration retrieves the project ID from your Google Cloud service account.
`User's Service Account`	Required. The content of the service account key JSON file. You can configure this parameter or the `Workload Identity Email` parameter. To configure this parameter, provide the full content of the service account key JSON file that you downloaded when you created a service account.
`Workload Identity Email`	Optional. The client email address of your service account. You can configure this parameter or the `User's Service Account` parameter. If you set this parameter, configure the `Quota Project ID` parameter. To impersonate service accounts with the Workload Identity Federation, grant the `Service Account Token Creator` role to your service account. For more details about workload identities and how to work with them, see Identities for workloads.
`Verify SSL`	Required. If selected, the integration validates the SSL certificate when connecting to the Security Command Center server. Selected by default.

For instructions about how to configure an integration in Google SecOps, see Configure integrations.

You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances.

Actions

For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action.

Enrich Assets

Use the Enrich Assets action to enrich assets using information from Security Command Center.

This action runs on all Google SecOps entities.

Action inputs

The Enrich Assets action requires the following parameters:

Parameter Description

Parameter	Description
`Asset Resource Names`	Required. A comma-separated list of the assets' resource names to return data.

Asset Resource Names

Required.

A comma-separated list of the assets' resource names to return data.

Action outputs

The Enrich Assets action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Available
Entity enrichment table	Available
JSON result	Available
Output messages	Available
Script result	Available

Case wall table

The Enrich Assets action can return the following table:

Table title: ASSET_ID

Table columns:

Key
Value

Entity enrichment table

The Enrich Assets action can enrich the following entities:

google.compute.Instance
google.compute.Address
google.iam.ServiceAccount
google.cloud.storage.Bucket

The following table shows an example of the google.compute.Instance entity enrichment:

Enrichment field name	Source (JSON key)	Applicability
`resourceOwners_KEY`	The `resourceOwners_KEY` CSV file.	When available in the JSON result.
`type`	`resourceType`	When available in the JSON result.
`create_time`	`createTime`	When available in the JSON result.
`update_time`	`updateTime`	When available in the JSON result.
`related_service_accounts`	The `resourceProperties/serviceAccounts/email` CSV file.	When available in the JSON result.
`tags`	The `resourceProperties/tags/items` CSV file.	When available in the JSON result.
`self_link`	`resourceProperties/selfLink`	When available in the JSON result.
`status`	`resourceProperties/status`	When available in the JSON result.
`ip_addresses`	The `resourcePropertie/networkInterfaces`CSV file.	When available in the JSON result.

JSON result

The following example shows the JSON result output received when using the Enrich Assets action:

{
"siemplify_asset_display_name":[4] [5]  ""
"asset": {
        "name": "organizations/ORGANIZATION_ID/assets/ASSET_ID",
        "securityCenterProperties": {
          "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/europe-west1-b/instances/INSTANCE_ID",
          "resourceType": "google.compute.Instance",
          "resourceParent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
          "resourceProject": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
          "resourceOwners": {
            "serviceAccount": [
              "PROJECT_ID@cloudbuild.gserviceaccount.com",
              "example@PROJECT_ID.iam.gserviceaccount.com"
            ],
            "user": [
              "dana@example.com",
              "alex@example.com",
              "test-@example.net"
            ]
          },
          "resourceDisplayName": "vm-wordpress",
          "resourceParentDisplayName": "PROJECT_ID",
          "resourceProjectDisplayName": "PROJECT_ID"
        },
        "resourceProperties": {
          "shieldedInstanceConfig": "{\"enableIntegrityMonitoring\":true,\"enableSecureBoot\":false,\"enableVtpm\":true}",
          "scheduling": "{\"automaticRestart\":true,\"onHostMaintenance\":\"MIGRATE\",\"preemptible\":false,\"provisioningModel\":\"STANDARD\"}",
          "labelFingerprint": "rs_6ubxpsZU=",
          "creationTimestamp": "2022-02-08T05:00:54.691-08:00",
          "networkInterfaces": "[{\"fingerprint\":\"DLL4fFQQkFU\\u003d\",\"name\":\"nic0\",\"network\":\"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/scc-demo\",\"networkIP\":\"192.0.1.40\",\"stackType\":\"IPV4_ONLY\",\"subnetwork\":\"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/europe-west1/subnetworks/vm-net1\"}]",
          "name": "vm-wordpress",
          "machineType": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/europe-west1-b/machineTypes/e2-standard-2",
          "serviceAccounts": "[{\"email\":\"PROJECT_ID-compute@developer.gserviceaccount.com\",\"scopes\":[\"https://www.googleapis.com/auth/devstorage.read_only\",\"https://www.googleapis.com/auth/logging.write\",\"https://www.googleapis.com/auth/monitoring.write\",\"https://www.googleapis.com/auth/pubsub\",\"https://www.googleapis.com/auth/service.management.readonly\",\"https://www.googleapis.com/auth/servicecontrol\",\"https://www.googleapis.com/auth/trace.append\"]}]",
          "tags": "{\"fingerprint\":\"AG-OvsszYew\\u003d\",\"items\":[\"wordpress\"]}",
          "fingerprint": "pJ1DSfT2-oM=",
          "labels": "{\"env\":\"test\"}",
          "canIpForward": false,
          "zone": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/europe-west1-b",
          "cpuPlatform": "Intel Broadwell",
          "disks": "[",
          "shieldedInstanceIntegrityPolicy": "{\"updateAutoLearnPolicy\":true}",
          "deletionProtection": false,
          "selfLink": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/europe-west1-b/instances/vm-wordpress",
          "startRestricted": false,
          "lastStartTimestamp": "2022-02-08T05:01:05.259-08:00",
          "status": "RUNNING",
          "id": "INSTANCE_ID"
        },
        "securityMarks": {
          "name": "organizations/ORGANIZATION_ID/assets/ASSET_ID/securityMarks"
        },
        "createTime": "2022-02-08T13:00:55.518Z",
        "updateTime": "2022-04-27T20:12:50.687Z",
        "iamPolicy": {},
        "canonicalName": "projects/PROJECT_ID/assets/ASSET_ID"
      }
}

Output messages

The Enrich Assets action can return the following output messages:

Output message Message description

Output message	Message description
`Successfully enriched the following assets using information from Security Command Center: ASSET_ID.` `Action wasn't able to enrich the following assets using information from Security Command Center: ASSET_ID.` `None of the provided assets were enriched.`	The action succeeded.
`Error executing action "Enrich Assets". Reason: ERROR_REASON`	The action failed. Check the connection to the server, input parameters, or credentials.

Successfully enriched the following assets using information from Security Command Center: ASSET_ID.

Action wasn't able to enrich the following assets using information from Security Command Center: ASSET_ID.

None of the provided assets were enriched.

The action succeeded.

Error executing action "Enrich Assets". Reason:
      ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Enrich Assets action:

Script result name	Value
`is_success`	`True` or `False`

Get Finding Details

Use the Get Finding Details action to retrieve details about a finding in Security Command Center.

This action doesn't run on Google SecOps entities.

Action inputs

The Get Finding Details action requires the following parameters:

Parameter Description

Parameter	Description
`Finding Name`	Required. Finding names to return details. This parameter accepts multiple values as a comma-separated list. The example for finding names is as follows: `organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID`

Finding Name

Required.

Finding names to return details. This parameter accepts multiple values as a comma-separated list.

The example for finding names is as follows:

organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID

Action outputs

The Get Finding Details action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Available
Enrichment table	Not available
JSON result	Available
Output messages	Available
Script result	Available

Case wall table

The Get Finding Details action can return the following table:

Table title: Finding Details

Table columns:

Category
State
Severity
Type

JSON result

The following example shows the JSON result output received when using the Get Finding Details action:

{
   {
      "finding_name": "organizations/ORGANIZATION_ID/sources/2678067631293752869/findings/hvX6WwbvFyBGqPbEs9WH9m",
      "finding": {
        "name": "organizations/ORGANIZATION_ID/sources/2678067631293752869/findings/hvX6WwbvFyBGqPbEs9WH9m",
        "parent": "organizations/ORGANIZATION_ID/sources/2678067631293752869",
        "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
        "state": "ACTIVE",
        "category": "Discovery: Service Account Self-Investigation",
        "sourceProperties": {
          "sourceId": {
            "projectNumber": "PROJECT_ID",
            "customerOrganizationNumber": "ORGANIZATION_ID"
          },
          "detectionCategory": {
            "technique": "discovery",
            "indicator": "audit_log",
            "ruleName": "iam_anomalous_behavior",
            "subRuleName": "service_account_gets_own_iam_policy"
          },
          "detectionPriority": "LOW",
          "affectedResources": [
            {
              "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID"
            }
          ],
          "evidence": [
            {
              "sourceLogId": {
                "projectId": "PROJECT_ID",
                "resourceContainer": "projects/PROJECT_ID",
                "timestamp": {
                  "seconds": "1622678907",
                  "nanos": 448368000
                },
                "insertId": "ID"
              }
            }
          ],
          "properties": {
            "serviceAccountGetsOwnIamPolicy": {
              "principalEmail": "prisma-cloud-serv@PROJECT_ID.iam.gserviceaccount.com",
              "projectId": "PROJECT_ID",
              "callerIp": "192.0.2.41",
              "callerUserAgent": "Redlock/GC-MDC/resource-manager/PROJECT_ID Google-API-Java-Client HTTP-Java-Client/1.34.0 (gzip),gzip(gfe)",
              "rawUserAgent": "Redlock/GC-MDC/resource-manager/PROJECT_ID Google-API-Java-Client HTTP-Java-Client/1.34.0 (gzip),gzip(gfe)"
            }
          },
          "contextUris": {
            "mitreUri": {
              "displayName": "Permission Groups Discovery: Cloud Groups",
              "url": "https://attack.mitre.org/techniques/ID/003/"
            },
            "cloudLoggingQueryUri": [
              {
                "displayName": "Cloud Logging Query Link",
                "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222021-06-03T00:08:27.448368Z%22%0AinsertId%3D%22ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
              }
            ]
          }
        },
        "securityMarks": {
          "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
        },
        "eventTime": "2021-06-03T00:08:27.448Z",
        "createTime": "2021-06-03T00:08:31.074Z",
        "severity": "LOW",
        "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID",
        "mute": "UNDEFINED",
        "findingClass": "THREAT",
        "mitreAttack": {
          "primaryTactic": "DISCOVERY",
          "primaryTechniques": [
            "PERMISSION_GROUPS_DISCOVERY",
            "CLOUD_GROUPS"
          ]
        }
      },
      "resource": {
        "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
        "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
        "projectDisplayName": "PROJECT_ID",
        "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
        "parentDisplayName": "example.net",
        "type": "google.cloud.resourcemanager.Project",
        "displayName": "PROJECT_ID"
      }
    }
}

Output messages

The Get Finding Details action can return the following output messages:

Output message Message description

Output message	Message description
`Successfully returned details about the following findings in Security Command Center: FINDING_NAMES.` `Action wasn't able to find the following findings in Security Command Center: FINDING_NAMES.` `None of the provided findings were found in Security Command Center.`	The action succeeded.
`Error executing action "Get Finding Details". Reason: ERROR_REASON`	The action failed. Check the connection to the server, input parameters, or credentials.

Successfully returned details about the following findings in Security Command Center: FINDING_NAMES.

Action wasn't able to find the following findings in Security Command Center: FINDING_NAMES.

None of the provided findings were found in Security Command Center.

The action succeeded.

Error executing action "Get Finding Details". Reason: ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Get Finding Details action:

Script result name	Value
`is_success`	`True` or `False`

List Asset Vulnerabilities

Use the List Asset Vulnerabilities action to list vulnerabilities related to entities in Security Command Center.

This action doesn't run on Google SecOps entities.

Action inputs

The List Asset Vulnerabilities action requires the following parameters:

Parameter	Description
`Asset Resource Names`	Required. Resource names for the assets to return data. This parameter accepts multiple values as a comma-separated list.
`Timeframe`	Optional. A period to search for the vulnerabilities or misconfigurations. The possible values are as follows: `Last Week` `Last Month` `Last Year` `All Time` The default value is `All Time`.
`Record Types`	Optional. The type of the record to return. The possible values are as follows: `Vulnerabilities Misconfigurations` `Vulnerabilities + Misconfigurations` The default value is `Vulnerabilities + Misconfigurations`.
`Output Type`	Optional. The type of output to return in the JSON result for every asset. The possible values are as follows: `Statistics` `Data` `Statistics + Data` The default value is `Statistics`.
`Max Records To Return`	Optional. The maximum number of records to return for every record type. The default value is `100`.

Action outputs

The List Asset Vulnerabilities action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Available
Enrichment table	Not available
JSON result	Available
Output messages	Available
Script result	Available

Case wall table

The List Asset Vulnerabilities action can return the following tables:

Table title: ASSET_ID Vulnerabilities

Table columns:

Category
Description
Severity
Event Time
CVE

Table title: ASSET_ID Misconfigurations

Table columns:

Category
Description
Severity
Event Time
Recommendation

JSON result

The following example shows the JSON result output received when using the List Asset Vulnerabilities action:

{
   ."siemplify_asset_display_name":[1] [2]  ""
"vulnerabilities": {
        "statistics": {
            "critical": 1,
            "high": 1,
            "medium": 1,
            "low": 1,
            "undefined": 1
        },
        "data": [
            {
                "category": "CATEGORY"
                "description": "DESCRIPTION"
                "cve_id": "CVE_ID"
                "event_time": "EVENT_TIME"
                "related_references": "RELATED_REFERENCES"
                "severity": "SEVERITY"
            }
        ]
    },
    "misconfigurations": {
        "statistics": {
            "critical": 1,
            "high": 1,
            "medium": 1,
            "low": 1,
            "undefined": 1
        },
        "data": [
            {
                "category": "CATEGORY"
                "description": "DESCRIPTION"
                "recommendation": "RECOMMENDATION"
                "event_time": "EVENT_TIME"
                "severity": "SEVERITY"
            }
        ]
    },
}

Output messages

The List Asset Vulnerabilities action can return the following output messages:

Output message Message description

Output message	Message description
`Successfully returned related vulnerabilities and misconfigurations to the following entities in Security Command Center: ASSET_IDS.` `No vulnerabilities and misconfigurations were found to the following entities in Security Command Center: ASSET_IDS.` `No vulnerabilities and misconfigurations were found for the provided assets in Security Command Center.`	The action succeeded.
`Error executing action "List Asset Vulnerabilities". Reason: ERROR_REASON`	The action failed. Check the connection to the server, input parameters, or credentials.

Successfully returned related vulnerabilities and misconfigurations to the following entities in Security Command Center: ASSET_IDS.

No vulnerabilities and misconfigurations were found to the following entities in Security Command Center: ASSET_IDS.

No vulnerabilities and misconfigurations were found for the provided assets in Security Command Center.

The action succeeded.

Error executing action "List Asset Vulnerabilities". Reason:
      ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the List Asset Vulnerabilities action:

Script result name	Value
`is_success`	`True` or `False`

Ping

Use the Ping action to test connectivity to Security Command Center.

This action doesn't run on Google SecOps entities.

Action inputs

None.

Action outputs

The Ping action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Output messages	Available
Script result	Available

Output messages

The Ping action can return the following output messages:

Output message Message description

Successfully connected to the Security Command Center server with the provided connection parameters! The action succeeded.

Output message	Message description
`Successfully connected to the Security Command Center server with the provided connection parameters!`	The action succeeded.
`Failed to connect to the Security Command Center server! Error is ERROR_REASON`	The action failed. Check the connection to the server, input parameters, or credentials.

Failed to connect to the Security Command Center server! Error
      is ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Ping action:

Script result name	Value
`is_success`	`True` or `False`

Update finding

Use the Update finding action to update finding in Security Command Center.

This action doesn't run on Google SecOps entities.

Action inputs

The Update finding action requires the following parameters:

Parameter Description

Parameter	Description
`Finding Name`	Required. Finding names to update. This parameter accepts multiple values as a comma-separated list. The example for finding names is as follows: `organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID`
`Mute Status`	Optional. The mute status for the finding. The possible values are as follows: `Select One` `Mute` `Unmute`
`State Status`	Optional. The finding state. The possible values are as follows: `Select One` `Active` `Inactive`

Finding Name

Required.

Finding names to update. This parameter accepts multiple values as a comma-separated list.

The example for finding names is as follows: organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID

Mute Status

Optional.

The mute status for the finding.

The possible values are as follows:

Select One
Mute
Unmute

State Status

Optional.

The finding state.

The possible values are as follows:

Select One
Active
Inactive

Action outputs

The Update finding action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Output messages	Available
Script result	Available

Output messages

The Update finding action can return the following output messages:

Output message Message description

Output message	Message description
`Successfully updated the following findings in Security Command Center: FINDING_NAMES` `Action wasn't able to find the following findings in Security Command Center: FINDING_NAMES` `None of the provided findings were found in Security Command Center.`	The action succeeded.
`Error executing action "Update finding". Reason: ERROR_REASON`	The action failed. Check the connection to the server, input parameters, or credentials.

Successfully updated the following findings in Security Command Center: FINDING_NAMES

Action wasn't able to find the following findings in Security Command Center: FINDING_NAMES

None of the provided findings were found in Security Command Center.

The action succeeded.

Error executing action "Update finding". Reason: ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Update finding action:

Script result name	Value
`is_success`	`True` or `False`

Connectors

For more detail about how to configure connectors in Google SecOps, see Ingest your data (connectors).

Google Security Command Center - Findings Connector

Use the Google Security Command Center - Findings Connector to retrieve information about findings from Security Command Center.

The dynamic list filter works with categories.

Connector inputs

The Google Security Command Center - Findings Connector requires the following parameters:

Parameter	Description
`Product Field Name`	Required. The name of the field where the product name is stored. The default value is `Product Name`. The product name primarily impacts mapping. To streamline and improve the mapping process for the connector, the default value resolves to a fallback value that is referenced from the code. Any invalid input for this parameter resolves to a fallback value by default.
`Event Field Name`	Required. The name of the field that determines the event name (subtype). The default value is `category`.
`Environment Field Name`	Optional. The name of the field where the environment name is stored. If the environment field is missing, the connector uses the default value.
`Environment Regex Pattern`	Optional. A regular expression pattern to run on the value found in the `Environment Field Name` field. This parameter lets you manipulate the environment field using the regular expression logic. Use the default value `.*` to retrieve the required raw `Environment Field Name` value. If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment.
`Script Timeout (Seconds)`	Required. The timeout limit, in seconds, for the Python process that runs the current script. The default value is `180`.
`API Root`	Required. The API root of the Security Command Center instance. The default value is `https://securitycenter.googleapis.com`.
`Organization ID`	Optional. The ID of an organization to use in the Security Command Center integration.
`Project ID`	Optional. The project ID of the Security Command Center instance.
`Quota Project ID`	Optional. The Google Cloud project ID that you use for Google Cloud APIs and billing. This parameter requires you to grant the `Service Usage Consumer` role to your service account. If you don't set a value for this parameter, the integration retrieves the project ID from your Google Cloud service account.
`User's Service Account`	Required. The content of the service account key JSON file. You can configure this parameter or the `Workload Identity Email` parameter. To configure this parameter, provide the full content of the service account key JSON file that you have downloaded when you created a service account.
`Workload Identity Email`	Optional. The client email address of your service account. You can configure this parameter or the `User's Service Account` parameter. If you set this parameter, configure the `Quota Project ID` parameter. To impersonate service accounts with the Workload Identity Federation, grant the `Service Account Token Creator` role to your service account. For more details about workload identities and how to work with them, see Identities for workloads.
`Finding Class Filter`	Optional. The finding classes for the connector to ingest. The possible values are as follows: `Threat` `Vulnerability` `Misconfiguration` `SCC_Error` `Observation` If you don't set a value, the connector ingests findings from all classes. The default value is `Threat,Vulnerability,Misconfiguration,SCC_Error,Observation`.
`Lowest Severity To Fetch`	Optional. The lowest severity of the alerts to retrieve. If you don't configure this parameter, the connector ingests alerts with all severity levels. The connector treats alerts with undefined severity as those with `Medium` severity. The possible values are as follows: `Low` `Medium` `High` `Critical` The default value is `High`.
`Max Hours Backwards`	Optional. The number of hours prior to now to retrieve findings. This parameter can apply to the initial connector iteration after you enable the connector for the first time, or the fallback value for an expired connector timestamp. The maximum value is `24`. The default value is `1`.
`Max Findings To Fetch`	Optional. The number of findings to process in every connector iteration. The maximum value is `1000`. The default value is `100`.
`Use dynamic list as a blacklist`	Required. If selected, the connector uses the dynamic list as a blocklist. Not selected by default.
`Verify SSL`	Required. If selected, the integration validates the SSL certificate when connecting to the Security Command Center server. Not selected by default.
`Proxy Server Address`	Optional. The address of the proxy server to use.
`Proxy Username`	Optional. The proxy username to authenticate with.
`Proxy Password`	Optional. The proxy password to authenticate with.

Connector rules

The Google Security Command Center - Findings Connector supports proxies.

Need more help? Get answers from Community members and Google SecOps professionals.