Security Command Center (SCC) and Chronicle Security Information and Event Management (SIEM) are two powerful security tools that can significantly enhance an organization's security posture. When integrated, these products offer a comprehensive and unified view of an organization's security telemetry, enabling more effective threat detection, investigation, and response.

Benefits of Integrating Google SCC and Chronicle SIEM

• Unified Security Visibility:
• Provides a single pane of glass for viewing all security telemetry, including alerts, events, and investigations, from both SCC and Chronicle SIEM and the rest of your infrastructure and security data reporting to your SIEM.
• Enhances situational awareness for security analysts, enabling them to quickly identify and respond to threats across the organization's entire security environment.
• Enhanced Threat Detection:
• Security analysts can use the integrated platform to proactively hunt for threats across the entire security environment.
• Correlates data from various sources to identify anomalous activities, suspicious patterns, and potential threats that may have otherwise gone unnoticed.

• Improved Incident Response:
• Provides a centralized platform for investigating and responding to security incidents.
• Facilitates collaboration among security analysts, incident responders, and other stakeholders, enabling faster and more effective incident resolution.

• Simplified Security Operations:
• Offers a single point of management for both SCC and Chronicle SIEM, reducing the administrative burden on security teams.
• Enables centralized policy management, user management, and reporting, streamlining security operations and improving efficiency.

• Security Compliance:
• Helps organizations demonstrate compliance with regulatory requirements and industry standards.
• Provides a single source of truth for security telemetry, enabling organizations to easily generate reports and meet compliance obligations.

The Role of SCC Curated Rules in Chronicle

Chronicle offers pre-built rules tailored around SCC threat detections. These rules:

• Proactively Alert: Trigger notifications on critical threats detected by SCC, significantly speeding up response.
• Automate Analysis: Reduce the manual effort of sifting through noise, freeing analysts to focus on high-priority issues.
• Cover Key Threat Types: Address common Google Cloud misconfigurations, vulnerabilities, and malicious behaviors.

These curated detections can correlate between other findings, giving the analyst a more comprehensive picture of the potential security threats and incidents.

While it’s beneficial to look at the summary of the alerts correlating multiple findings, You can still look at each individual finding as needed with all SCC and other logs parsed into our unified schema fields.

Each event you find here also contains the link to the original finding in SCC if you would like to pivot your investigation there

This is not all: in Chronicle we don’t just parse the data from the actual RAW log message but automatically enrich data where possible giving additional context for certain resource types (these fields will be marked with a letter ‘E’).

UDM Queries and Natural Language Query Generation

Using the out of the box curated rules can be beneficial to correlate events and generate alerts automatically but the fun does not stop here. You also have access to your SCC (and other logs inside your Chronicle SIEM product) using our UDM query search. The query language is straightforward and can be easily mastered with a bit of practice but if you are not a UDM Query Ninja yet, fear not! Our natural language and the Generate Query function comes to the rescue. This will translate natural language requests like “Show me all SCC events with User resource access event type” into a Chronicle Query!

You also have the ability to pivot into additional details on each log event and work around hunting for data and threats in your SCC and SIEM infrastructure as needed

Entities, entities, entities

We talked about data enrichment via entities earlier but entities are not just limited to this function. We also track associated alerts to such entities and you can base some of your investigations by looking at certain resources which may be of higher interest to you.

Conclusion

We have covered the benefits and some of the functions of Chronicle SIEM + SCC on a high level as each of these topics mentioned in this post could have their own (if not multiple) posts and would be really difficult to include all of these in depth in a single discussion.

If you are interested in any of the Chronicle SIEM areas covered in this section then please check out the recommended links at the bottom of this post and also look around our Chronicle SIEM community posts.

Once you’re ready, let’s turn this up by a level and start looking into ways of:

• Integrate SIEM and SCC Alerts with a SOAR platform and develop playbooks to automate your response to certain type of incidents and findings
• Create your own Chronicle SIEM rules to correlate with the rest of your security and infrastructure logs

Over the coming weeks I will cover some of these topics.

Please let me know in the comments if you have any questions or extra neat ways how you found these two products can work together!

CDIR SCC Enhanced rules sets in Chronicle

https://cloud.google.com/chronicle/docs/detection/cloud-threats-category#cdir_scc_enhanced_rule_sets

Exporting SCC Premium Findings to Chronicle

https://cloud.google.com/chronicle/docs/ingestion/cloud/ingest-gcp-logs#exporting_security_command_c...

Detect and investigate threats in Google Cloud

https://cloud.google.com/chronicle/docs/preview/cloud-detect-investigate

Chronicle SIEM Overview

https://cloud.google.com/chronicle/docs/overview

Chronicle Cloud Community Forums

https://www.googlecloudcommunity.com/gc/Chronicle-Forums/ct-p/chronicle-forums