Send Security Command Center data to Splunk

This page explains how to automatically send Security Command Center findings, assets, audit logs, and security sources to Splunk. It also describes how to manage the exported data. Splunk is a security information and event management (SIEM) platform that ingests security data from one or more sources and lets security teams manage responses to incidents and perform real-time analytics.

In this guide, you ensure that required Security Command Center and Google Cloud services are properly configured and enable Splunk to access findings, audit logs, and asset information in your Security Command Center environment.

Before you begin

This guide assumes you are using one of the following:

Splunk Enterprise version 8.1, 8.2, or 9.0
Splunk Cloud
Hosting Splunk in Google Cloud, Amazon Web Services, or Microsoft Azure

Configure authentication and authorization

Before connecting to Splunk, you need to create an Identity and Access Management (IAM) service account in each Google Cloud organization that you want to connect and grant the account both the organization-level and project-level IAM roles that the Google SCC Add-on for Splunk needs.

Create a service account and grant IAM roles

The following steps use the Google Cloud console. For other methods, see the links at the end of this section.

Complete these steps for each Google Cloud organization that you want to import Security Command Center data from.

In the same project in which you create your Pub/Sub topics, use the Service Accounts page in the Google Cloud console to create a service account. For instructions, see Creating and managing service accounts.
Grant the service account the following role:
- Pub/Sub Editor (roles/pubsub.editor)
Copy the name of the service account that you just created.
Use the project selector in the Google Cloud console to switch to the organization level.
Open the IAM page for the organization:

Go to IAM
On the IAM page, click Grant access. The grant access panel opens.
In the Grant access panel, complete the following steps:
1. In the Add principals section in the New principals field, paste the name of the service account.
2. In the Assign roles section, use the Role field to grant the following IAM roles to the service account:
3. Security Center Admin Editor (roles/securitycenter.adminEditor)
4. Security Center Notification Configurations Editor (roles/securitycenter.notificationConfigEditor)
5. Organization Viewer (roles/resourcemanager.organizationViewer)
6. Cloud Asset Viewer (roles/cloudasset.viewer)
7. Click Save. The service account appears on the Permissions tab of the IAM page under View by principals.
  
  By inheritance, the service account also becomes a principal in all child projects of the organization. The roles that are applicable at the project level are listed as inherited roles.

For more information about creating service accounts and granting roles, see the following topics:

Provide the credentials to Splunk

Depending on where you are hosting Splunk, how you provide the IAM credentials to Splunk differs.

If you are hosting Splunk in Google Cloud, consider the following:
- The service account that you created and the organization-level roles that you granted to it are available automatically by inheritance from the parent organization. If you are using multiple Google Cloud organizations, add this service account to the other organizations and grant it the IAM roles that are described in steps 5 to 7 of Create a service account and grant IAM roles.
- If you deploy Splunk in a service perimeter, create the ingress and egress rules. For instructions, see Granting perimeter access in VPC Service Controls.
If you are hosting Splunk Enterprise in your on-premises environment, create a service account key for each Google Cloud organization. You will need the service account keys in JSON format to complete this guide.

Note: Service account keys are a security risk if not managed correctly. You should choose a more secure alternative to service account keys whenever possible. If you must authenticate with a service account key, you are responsible for the security of the private key and for other operations described by Best practices for managing service account keys. If you are prevented from creating a service account key, service account key creation might be disabled for your organization. For more information, see Managing secure-by-default organization resources.
If you are hosting Splunk in another cloud, configure workload identity federation and download the credentials configuration files. If you are using multiple Google Cloud organizations, add this service account to the other organizations and grant it the IAM roles that are described in steps 5 to 7 of Create a service account and grant IAM roles.

Configure notifications

Complete these steps for each Google Cloud organization that you want to import Security Command Center data from.

You will need your organization IDs, Pub/Sub topic names, and Pub/Sub subscription names from this task to configure Splunk.

Enable finding notifications for Pub/Sub, which includes the following steps:
1. Enable the Security Command Center API.
2. Create three Pub/Sub topics:
  - a topic for findings
  - a topic for assets
  - a topic for audit logs
3. Create a notificationConfig for the findings in Security Command Center. The notificationConfig exports the Security Command Center findings to Pub/Sub based on filters that you specify.
Enable the Cloud Asset API for your project.
Create feeds for your assets. You must create two feeds in the same Pub/Sub topic: one for your resources and another for your Identity and Access Management (IAM) policies.
- The Pub/Sub topic for assets must be different than the one used for findings.
- For the feed for your resources, use the following filter:
  
  content-type=resource
- For the IAM policies feed, use the following filter:
  
  content-type=iam-policy --asset-types="cloudresourcemanager.googleapis.com/Project"
Create a destination sink for the audit logs. This integration uses a Pub/Sub topic as the destination.

Install Google SCC App for Splunk and Google SCC Add-on for Splunk

In this section, you install the Google SCC App for Splunk and the Google SCC Add-on for Splunk. These apps, which are maintained by Security Command Center, automate the process of scheduling Security Command Center API calls, regularly retrieve Security Command Center data for use in Splunk, and set up the dashboards that allow you to view Security Command Center data in Splunk.

App installation requires access to the Splunk web interface.

If you have a distributed Splunk deployment, install the apps as follows:

Install the Google SCC App for Splunk on the Splunk heavy forwarder and the Splunk search heads.
Install the Google SCC Add-on for Splunk on the Splunk search heads.

To complete the installation, do the following:

In the Splunk web interface, go to the Apps gear icon.
Select Manage Apps > Browse more apps.
Search for and install the following apps:
- Google SCC Add-on for Splunk
- Google SCC App for Splunk

Both apps appear in your Apps list. Continue to Connect Splunk to Google Cloud to configure the apps.

Upgrade Google SCC App for Splunk and Google SCC Add-on for Splunk

Disable all existing inputs:
1. In the Splunk web interface, click Apps > Google SCC Add-on for Splunk.
2. Select the Inputs tab.
3. For each input, click Action > Disable.
Remove the Security Command Center indexed data. You can use the Splunk CLI clean command to remove indexed data from an app before deleting the app.
Perform the upgrade:
1. In the Splunk web interface, go to the Apps gear icon.
2. Select Manage Apps > Browse more apps.
3. Search for and upgrade the following apps:
  - Google SCC Add-on for Splunk
  - Google SCC App for Splunk
4. If prompted, restart Splunk.
For each new Google Cloud organization, complete the Connect Splunk to Google Cloud section.
Create the new inputs, as described in Add the Security Command Center data inputs.

Connect Splunk to Google Cloud

You must have the admin_all_objects capability in Splunk to complete this task.

If you installed Splunk on Amazon Web Services or Microsoft Azure, do the following:
1. Open a terminal window.
2. Navigate to the Google SCC App for Splunk directory:
```
cd $SPLUNK_HOME$/etc/apps/TA_GoogleSCC/local/
```
3. Open ta_googlescc_settings.conf in a text editor:
```
sudo vim ta_googlescc_settings.conf
```
4. Add the following lines to the end of the file:
```
[additional_parameters]
scheme = http
```
5. Save and close the file.
6. Restart the Splunk platform.
In the Splunk web interface, click Apps > Google SCC Add-on for Splunk > Configuration > Google SCC Account.
Select the Configuration tab.
Click Add.
Do one of the following, depending on the field that appears:
- If the Service Account JSON field is displayed, browse to the JSON file that includes the service account key.
- If the Credential Configuration field is displayed, browse to the credential configuration file that you downloaded when you set up workload identity federation.
If you deployed Splunk in Google Cloud or completed step 1, the service account configuration is automatically detected.
In the Organization field, add your Google Cloud organization ID.
If you are using a proxy server to connect Splunk with Google Cloud, do the following:
1. Click the Proxy tab.
2. Select Enable.
3. Select your proxy type (HTTPS, SOCKS4, or SOCKS5).
4. Add your proxy hostname, port, and optionally, the username and password.
In the Logging tab, select the logging level for the add-on.
Click Save.
Complete steps 2-9 for each Google Cloud organization that you want to integrate.

Create data inputs for your Google Cloud organizations, as described in Add the Security Command Center data inputs.

Add the Security Command Center data inputs

In the Splunk web interface, click Apps > Google SCC Add-on for Splunk.
Select the Inputs tab.
Click Create New Input.
Select one of the inputs:
- Source Input
- Findings Input
- Asset Input
- Audit Logs Input
Click the Edit icon.

Enter the following information:

Field	Description
Input name	The default name for your data input
Interval	The time (in seconds) to wait between calls for data
Index	The Splunk index that the Security Command Center data goes to
Assets Subscription Id	For asset inputs only, the name of the Pub/Sub subscription for resources
Audit Logs Subscription Id	For audit logs input only, the name of the Pub/Sub subscription for audit logs
Findings Subscription Id	For findings input only, the name of the Pub/Sub subscription for findings
Maximum Fetching	The maximum number of assets to fetch in one call

Click Update.
Repeat steps 3 through 7 for each input that you want to add.
Repeat steps 3 through 8 for each Google Cloud organization that you want to integrate.
In the Status row, enable the data inputs that you want to forward to Splunk.

Update the Splunk index

Complete this task if you do not use the main Splunk index:

In the Splunk web interface, click Settings > Advanced Search > Search macros.
Select Google SCC App for Splunk.
Select googlescc_index.
Update index=main to use your index.
Click Save.

View Security Command Center data in Splunk

In the Splunk web interface, click Apps > Google SCC Add-on for Splunk.
Select the Search tab.
Set your search query, for example index="main".
Select the time range.
Click the Search icon.
Filter data by source type (one of sources, assets, auditlogs, IAM assets, or findings), as required.

View the dashboards

The Google SCC App for Splunk allows you to visualize the data from Security Command Center. It includes five dashboards: Overview, Sources, Findings, Assets, Audit Logs, and Search.

You can access these dashboards in the Splunk web interface, from the Apps > Google SCC Apps for Splunk page.

Overview dashboard

The Overview dashboard contains a series of charts that displays the total number of findings in your organization by severity level, category, and state. Findings are compiled from Security Command Center's built-in services, such as Security Health Analytics, Web Security Scanner, Event Threat Detection, and Container Threat Detection and any integrated services you enable.

To filter content, you can set the time range and organization ID.

Additional charts show which categories, projects, and assets are generating the most findings.

Assets dashboard

The Assets dashboard displays a table of the 1000 most recently created or modified Google Cloud assets. The table shows asset name, asset type, resource owner, and last update time.

You can filter asset data by time range, organization ID, and asset type. If you click View in the Redirect To SCC column, you are redirected to Security Command Center's Assets page in the Google Cloud console and shown details for the selected asset.

Audit logs dashboard

The Audit logs dashboard displays a series of charts and tables that show audit log information. The audit logs that are included in the dashboard are the administrator activity, data access, system events, and policy denied audit logs. The table includes the time, log name, severity, service name, resource name, and resource type.

You can filter the data by time range, organization ID, and log name.

Findings dashboard

The Findings dashboard includes a table of the 1000 most recent findings. The table column includes items such as category, asset name, source name, security marks, finding class, and severity.

You can filter the data by time range, organization ID, category, severity, source name, asset name, project name, or finding class. In addition, in the Update Status column, you can update the state of a finding. To indicate that you are actively reviewing a finding, click Mark as ACTIVE. If you are not actively reviewing a finding, click Mark as INACTIVE.

If you click a finding name, you are redirected to Security Command Center's Findings page in the Google Cloud console and shown details for the selected finding.

Sources dashboard

The Sources dashboard shows a table of all your security sources. Table columns include name, display name, and description.

To filter content, you can set the time range.

Uninstall the apps

Uninstall the apps when you no longer wish to retrieve Security Command Center data for Splunk.

In the Splunk web interface, go to Apps > Manage Apps.
Search for Google SCC App for Splunk.
In the Status column, click Disable.
Search for Google SCC Add-on for Splunk.
In the Status column, click Disable.
Optionally, remove the Security Command Center indexed data. You can use the Splunk CLI clean command to remove indexed data from an app before deleting the app.
In a Splunk standalone environment, do the following:
1. Open a terminal and log in to Splunk.
2. Delete the apps and their directories in $SPLUNK_HOME/etc/apps/APPNAME:
```
./splunk remove app APPNAME -auth USERNAME:PASSWORD
```
  Replace APPNAME with GoogleSCCAppforSplunk or TA_GoogleSCC.
3. Repeat step b for the other app.
4. Optionally, remove the user-specific directories by deleting any files found in $SPLUNK_HOME/etc/users/*/GoogleSCCAppforSplunk and $SPLUNK_HOME/etc/users/*/TA_GoogleSCC.
5. Restart the Splunk platform.
In a distributed Splunk environment, do the following:
1. Log in to the deployer manager.
2. Delete the apps and their directories in $SPLUNK_HOME/etc/apps/APPNAME:
```
./splunk remove app APPNAME -auth USERNAME:PASSWORD
```
  Replace APPNAME with GoogleSCCAppforSplunk or TA_GoogleSCC.
3. Repeat step b for the other app.
4. Run the splunk apply shcluster-bundle command:
```
splunk apply shcluster-bundle -target URI:MANAGEMENT_PORT -auth USERNAME:PASSWORD
```

What's next

Learn more about setting up finding notifications in Security Command Center.
Read about filtering finding notifications in Security Command Center.