Using the SCC APIs to build a lightweight version ...

dheerajpanyam

I want to build a lightweight version of SCC for internal usage within my Organization using the SCC APIs (either the google cloud client libraries or the REST API). Looking at the APIs documentation my understanding is that APIs only support discovering assets / findings and application vulnerability features of SCC. I see the below features of SCC

Asset Discovery and Inventory (APIs available)
Unified security findings (APIs unavailable)
Notifcations and actions (APIs unavailabe)
Application vulnerability detection (APIs available)
Misconfiguration detection (APIs unavailabe)
Anomaly detection (APIs unavailabe)
Threat detection (APIs unavailabe)
Container runtime security) (APIs unavailabe)

andras

Thank you for posting this question. You should be able to do more than just listing assets, findings and vulnerabilities. Based on the information listed i don't fully understand your use cases and requirements here but in general you should be able to gather most of the details out of SCC via the API and i will try to give a few options here on working with data from SCC.

You already shared the documentation which contains most of the supported ways to interact with our API.

The most common way how i see our customers working with SCC is exporting Findings and data out of our platform and sending it to a SIEM, SOAR or other workflow or reporting type tools. The following guide can give some details on how to export Findings from SCC. When i say Findings this should include Findings from the detection methods of SCC including Findings generated by Event Threat Detection rules, VM and Container Threat Detection, Misconfigurations, etc

If you don't want to go down the direct API route you can also configure Exports via Pub/Sub Topics and your 3rd party tool can interact with those topics to fetch this information or export your data to BigQuery where you can create reports and further use cases with your SCC data.

You can find some more information on these methods here or on my topic on SCC and BigQuery.

One more finishing thought that with SCC Enterprise which was released a few months ago, now you also have the opportunity to send all your SCC data into a Chronicle SecOps (SIEM + SOAR) platform automatically and you have the full flexibility of SOAR playbooks to work with your data and create custom workflows as needed.

If you would like to dive into any of these topics in more depth or have a specific use case you would like to discuss further i'm happy to help, just let me know.

dheerajpanyam

Thanks @andras for your detailed respond. My use case or rather my idea is to build a lightweight product similar to SCC with a separate GUI that I can use internally within my org. Again does this mean that the scope is limited to the project where the product is deployed meaning self contained. I can't build a GCP marketplace type SaaS product.

andras

if it's mainly displaying Findings and a few other stats of SCC in different ways then the API or Pub/Sub route should be able to export the Findings you need from all the different categories into an internal tool (if it's mainly visualization you after then Looker+BigQuery combination is still in play here). With both API and Pub/Sub route you can choose to keep the data contained inside the project or you can also expose it to other tools and functions in other GCP projects or outside GCP depending on your design and requirements.

I don't have sufficient familiarity to be able to comment on the Marketplace side

dheerajpanyam

@andras Thanks for your reply. Do the SCC events get published to Pub/Sub by default and to a predefined pub/sub topic or do i need to setup user defined pub/sub topic?

andras

They are not automatically sent to a pub/sub topic. You will need to first create a pub/sub topic then within your SCC Configuration you need to create a 'Continuous Export' to define what Findings you want to send to a that pub/sub topic. You can use a filter on the continuous export settings to exclude/include Findings as needed. You can also create multiple exports to send different type of events using your filters to different destinations.

dheerajpanyam

Thanks @andras appreciate your quick response very much.

dheerajpanyam

@andras Are SCC premium events available out of the box (without enabling SCC premium) and can these events be streamed to a BQ dataset? On a different note are there APIs that can fetch SCC premium related data for free? Also how are the SCC APIs billed?

andras

For Premium tier detections (VM and Container Threat Detection, Event Threat Detection, etc) to be available for streaming to BQ you would need Premium/Enterprise enabled and setup. If they are not enabled the relevant Findings will not be created. For pricing you can find some more information here but i don't have any more specific answer for this sorry

dheerajpanyam

Can i enable SCC premium in Project A and call APIs from Project A to fetch SCC premium findings from a different project, Project B? In Summary does cross project access work without enabling SCC premium in the target project @andras ?

andras

SCC Premium Findings would only be available on Project B if SCC Premium is enabled on that project or if it'e enabled Org wide. There are some more info on the activation of different tiers here and some of the limitations on Project vs Org activation

Using the SCC APIs to build a lightweight version of SCC product