{ "name": "google_scc", "title": "Google Security Command Center", "version": "2.4.0", "release": "ga", "description": "Collect logs from Google Security Command Center with Elastic Agent.", "type": "integration", "download": "/epr/google_scc/google_scc-2.4.0.zip", "path": "/package/google_scc/2.4.0", "icons": [ { "src": "/img/google-scc-logo.svg", "path": "/package/google_scc/2.4.0/img/google-scc-logo.svg", "title": "Google SCC logo", "size": "32x32", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.19.4 || ^9.1.4" }, "elastic": { "subscription": "basic" } }, "owner": { "type": "elastic", "github": "elastic/security-service-integrations" }, "categories": [ "google_cloud", "security", "cloudsecurity_cdr", "vulnerability_workflow", "misconfiguration_workflow" ], "signature_path": "/epr/google_scc/google_scc-2.4.0.zip.sig", "format_version": "3.2.3", "readme": "/package/google_scc/2.4.0/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/google-scc-overview-screenshot.png", "path": "/package/google_scc/2.4.0/img/google-scc-overview-screenshot.png", "title": "Google SCC Overview Dashboard Screenshot", "size": "600x600", "type": "image/png" }, { "src": "/img/google-scc-asset-screenshot.png", "path": "/package/google_scc/2.4.0/img/google-scc-asset-screenshot.png", "title": "Google SCC Asset Dashboard Screenshot", "size": "600x600", "type": "image/png" }, { "src": "/img/google-scc-audit-screenshot.png", "path": "/package/google_scc/2.4.0/img/google-scc-audit-screenshot.png", "title": "Google SCC Audit Dashboard Screenshot", "size": "600x600", "type": "image/png" }, { "src": "/img/google-scc-finding-screenshot.png", "path": "/package/google_scc/2.4.0/img/google-scc-finding-screenshot.png", "title": "Google SCC Finding Dashboard Screenshot", "size": "600x600", "type": "image/png" }, { "src": "/img/google-scc-source-screenshot.png", "path": "/package/google_scc/2.4.0/img/google-scc-source-screenshot.png", "title": "Google SCC Source Dashboard Screenshot", "size": "600x600", "type": "image/png" } ], "assets": [ "/package/google_scc/2.4.0/LICENSE.txt", "/package/google_scc/2.4.0/changelog.yml", "/package/google_scc/2.4.0/manifest.yml", "/package/google_scc/2.4.0/validation.yml", "/package/google_scc/2.4.0/docs/README.md", "/package/google_scc/2.4.0/img/google-scc-asset-screenshot.png", "/package/google_scc/2.4.0/img/google-scc-audit-screenshot.png", "/package/google_scc/2.4.0/img/google-scc-finding-screenshot.png", "/package/google_scc/2.4.0/img/google-scc-logo.svg", "/package/google_scc/2.4.0/img/google-scc-overview-screenshot.png", "/package/google_scc/2.4.0/img/google-scc-source-screenshot.png", "/package/google_scc/2.4.0/kibana/tags.yml", "/package/google_scc/2.4.0/data_stream/asset/manifest.yml", "/package/google_scc/2.4.0/data_stream/asset/sample_event.json", "/package/google_scc/2.4.0/data_stream/audit/manifest.yml", "/package/google_scc/2.4.0/data_stream/audit/sample_event.json", "/package/google_scc/2.4.0/data_stream/finding/manifest.yml", "/package/google_scc/2.4.0/data_stream/finding/sample_event.json", "/package/google_scc/2.4.0/data_stream/source/manifest.yml", "/package/google_scc/2.4.0/data_stream/source/sample_event.json", "/package/google_scc/2.4.0/kibana/dashboard/google_scc-0d6620a0-05f4-11ee-af70-a35c241bca6a.json", "/package/google_scc/2.4.0/kibana/dashboard/google_scc-1216f720-05f7-11ee-af70-a35c241bca6a.json", "/package/google_scc/2.4.0/kibana/dashboard/google_scc-279e2ae0-05e9-11ee-af70-a35c241bca6a.json", "/package/google_scc/2.4.0/kibana/dashboard/google_scc-47d98700-0878-11ee-8e98-37b34c549462.json", "/package/google_scc/2.4.0/kibana/dashboard/google_scc-62ec9780-05c6-11ee-af70-a35c241bca6a.json", "/package/google_scc/2.4.0/kibana/search/google_scc-23596503-5105-451e-8f64-f59054e3774c.json", "/package/google_scc/2.4.0/kibana/search/google_scc-78724c60-05ff-11ee-af70-a35c241bca6a.json", "/package/google_scc/2.4.0/kibana/search/google_scc-96641630-05e7-11ee-af70-a35c241bca6a.json", "/package/google_scc/2.4.0/kibana/search/google_scc-c57ada30-0876-11ee-8e98-37b34c549462.json", "/package/google_scc/2.4.0/data_stream/asset/fields/base-fields.yml", "/package/google_scc/2.4.0/data_stream/asset/fields/beats.yml", "/package/google_scc/2.4.0/data_stream/asset/fields/fields.yml", "/package/google_scc/2.4.0/data_stream/audit/fields/base-fields.yml", "/package/google_scc/2.4.0/data_stream/audit/fields/beats.yml", "/package/google_scc/2.4.0/data_stream/audit/fields/fields.yml", "/package/google_scc/2.4.0/data_stream/finding/fields/base-fields.yml", "/package/google_scc/2.4.0/data_stream/finding/fields/beats.yml", "/package/google_scc/2.4.0/data_stream/finding/fields/ecs.yml", "/package/google_scc/2.4.0/data_stream/finding/fields/fields.yml", "/package/google_scc/2.4.0/data_stream/finding/fields/package.yml", "/package/google_scc/2.4.0/data_stream/finding/fields/resource.yml", "/package/google_scc/2.4.0/data_stream/finding/fields/result.yml", "/package/google_scc/2.4.0/data_stream/finding/fields/rule.yml", "/package/google_scc/2.4.0/data_stream/finding/fields/vulnerability.yml", "/package/google_scc/2.4.0/data_stream/source/fields/base-fields.yml", "/package/google_scc/2.4.0/data_stream/source/fields/beats.yml", "/package/google_scc/2.4.0/data_stream/source/fields/fields.yml", "/package/google_scc/2.4.0/elasticsearch/transform/latest_cdr_misconfigurations/transform.yml", "/package/google_scc/2.4.0/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml", "/package/google_scc/2.4.0/data_stream/asset/agent/stream/gcp-pubsub.yml.hbs", "/package/google_scc/2.4.0/data_stream/asset/agent/stream/httpjson.yml.hbs", "/package/google_scc/2.4.0/data_stream/asset/elasticsearch/ingest_pipeline/default.yml", "/package/google_scc/2.4.0/data_stream/asset/elasticsearch/ingest_pipeline/pipeline_asset.yml", "/package/google_scc/2.4.0/data_stream/asset/elasticsearch/ingest_pipeline/pipeline_prior_asset.yml", "/package/google_scc/2.4.0/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs", "/package/google_scc/2.4.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml", "/package/google_scc/2.4.0/data_stream/finding/agent/stream/gcp-pubsub.yml.hbs", "/package/google_scc/2.4.0/data_stream/finding/agent/stream/httpjson.yml.hbs", "/package/google_scc/2.4.0/data_stream/finding/elasticsearch/ingest_pipeline/default.yml", "/package/google_scc/2.4.0/data_stream/source/agent/stream/httpjson.yml.hbs", "/package/google_scc/2.4.0/data_stream/source/elasticsearch/ingest_pipeline/default.yml", "/package/google_scc/2.4.0/elasticsearch/transform/latest_cdr_misconfigurations/fields/base-fields.yml", "/package/google_scc/2.4.0/elasticsearch/transform/latest_cdr_misconfigurations/fields/beats.yml", "/package/google_scc/2.4.0/elasticsearch/transform/latest_cdr_misconfigurations/fields/ecs-overridden.yml", "/package/google_scc/2.4.0/elasticsearch/transform/latest_cdr_misconfigurations/fields/fields.yml", "/package/google_scc/2.4.0/elasticsearch/transform/latest_cdr_misconfigurations/fields/package.yml", "/package/google_scc/2.4.0/elasticsearch/transform/latest_cdr_misconfigurations/fields/resource.yml", "/package/google_scc/2.4.0/elasticsearch/transform/latest_cdr_misconfigurations/fields/result.yml", "/package/google_scc/2.4.0/elasticsearch/transform/latest_cdr_misconfigurations/fields/rule.yml", "/package/google_scc/2.4.0/elasticsearch/transform/latest_cdr_vulnerabilities/fields/base-fields.yml", "/package/google_scc/2.4.0/elasticsearch/transform/latest_cdr_vulnerabilities/fields/beats.yml", "/package/google_scc/2.4.0/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs-overridden.yml", "/package/google_scc/2.4.0/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml", "/package/google_scc/2.4.0/elasticsearch/transform/latest_cdr_vulnerabilities/fields/package.yml", "/package/google_scc/2.4.0/elasticsearch/transform/latest_cdr_vulnerabilities/fields/resource.yml", "/package/google_scc/2.4.0/elasticsearch/transform/latest_cdr_vulnerabilities/fields/vulnerability.yml" ], "policy_templates": [ { "name": "google_scc", "title": "Google SCC logs", "description": "Collect logs from Google SCC.", "inputs": [ { "type": "httpjson", "vars": [ { "name": "credentials_type", "type": "select", "title": "Credentials Type", "description": "Credentials Type of the Google SCC. Note: This is required field if not installed in GCP-Cloud Environment.", "multi": false, "required": false, "show_user": true }, { "name": "credentials", "type": "password", "title": "Credentials JSON/File", "description": "Path to a JSON or JSON blob file containing the credentials and key used to subscribe. Note: This is required field if not installed in GCP-Cloud Environment.", "multi": false, "required": false, "show_user": true }, { "name": "parent_type", "type": "select", "title": "Parent Type", "description": "Parent Type of the Google SCC.", "multi": false, "required": true, "show_user": true }, { "name": "id", "type": "text", "title": "ID", "description": "ID of the selected parent type.", "multi": false, "required": true, "show_user": true }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.", "multi": false, "required": false, "show_user": false }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" } ], "title": "Collect Google SCC logs via API", "description": "Collecting Google SCC logs via API." }, { "type": "gcp-pubsub", "vars": [ { "name": "credentials_type", "type": "select", "title": "Credentials Type", "description": "Credentials Type of the Google SCC.", "multi": false, "required": true, "show_user": true }, { "name": "credentials", "type": "password", "title": "Credentials JSON/File", "description": "Path to a JSON or JSON blob file containing the credentials and key used to subscribe.", "multi": false, "required": true, "show_user": true }, { "name": "project_id", "type": "text", "title": "Project ID", "description": "Project ID of the Google SCC.", "multi": false, "required": true, "show_user": false } ], "title": "Collect Google SCC logs via GCP Pub/Sub", "description": "Collecting Google SCC logs via GCP Pub/Sub." } ], "multiple": true, "deployment_modes": { "default": { "enabled": true }, "agentless": { "enabled": true } } } ], "data_streams": [ { "type": "logs", "dataset": "google_scc.asset", "title": "Collect Asset logs from Google Security Command Center.", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "url", "type": "text", "title": "Google SCC API Host", "description": "The Google SCC API Host.", "multi": false, "required": true, "show_user": false, "default": "https://cloudasset.googleapis.com" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Google SCC API. NOTE: Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "1h" }, { "name": "content_type", "type": "select", "title": "Content Type", "description": "Asset content type. If not specified, no content but the asset name will be returned.", "multi": false, "required": true, "show_user": true }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Batch size for the response of the Google SCC API. The maximum supported batch size value is 1000.", "multi": false, "required": true, "show_user": false, "default": 1000 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "google_scc-asset" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve google_scc.asset fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "Asset logs", "description": "Collect Asset logs from Google Security Command Center.", "enabled": false, "ingestion_method": "API" }, { "input": "gcp-pubsub", "vars": [ { "name": "topic", "type": "text", "title": "Topic", "description": "Name of the topic where the logs are written to.", "multi": false, "required": true, "show_user": true }, { "name": "subscription_name", "type": "text", "title": "Subscription Name", "description": "Use the short subscription name here, not the full-blown path with the project ID. You can find it as 'Subscription ID' on the Google Cloud Console.", "multi": false, "required": true, "show_user": true }, { "name": "subscription_create", "type": "bool", "title": "Subscription Create", "description": "If true, the integration will create the subscription on start.", "multi": false, "required": false, "show_user": false, "default": true }, { "name": "subscription_num_goroutines", "type": "text", "title": "Subscription Num Goroutines", "description": "Number of goroutines created to read from the subscription. This does not limit the number of messages that can be processed concurrently or the maximum number of goroutines the input will create.", "multi": false, "required": false, "show_user": false, "default": 1 }, { "name": "subscription_max_outstanding_messages", "type": "text", "title": "Subscription Max Outstanding Messages", "description": "The maximum number of unprocessed messages (unacknowledged but not yet expired). If the value is negative, then there will be no limit on the number of unprocessed messages. Default is 1000.", "multi": false, "required": false, "show_user": false, "default": 1000 }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "google_scc-asset" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve google_scc.asset fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false }, { "name": "alternative_host", "type": "text", "title": "Alternative host", "description": "Overrides the default Pub/Sub service address and disables TLS. For testing.", "multi": false, "required": false, "show_user": false } ], "template_path": "gcp-pubsub.yml.hbs", "title": "Asset logs", "description": "Collect Asset logs from Google Security Command Center.", "enabled": false, "ingestion_method": "GCP Pub/Sub" } ], "package": "google_scc", "path": "asset" }, { "type": "logs", "dataset": "google_scc.audit", "title": "Collect Audit logs from Google Security Command Center.", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "gcp-pubsub", "vars": [ { "name": "topic", "type": "text", "title": "Topic", "description": "Name of the topic where the logs are written to.", "multi": false, "required": true, "show_user": true }, { "name": "subscription_name", "type": "text", "title": "Subscription Name", "description": "Use the short subscription name here, not the full-blown path with the project ID. You can find it as 'Subscription ID' on the Google Cloud Console.", "multi": false, "required": true, "show_user": true }, { "name": "subscription_create", "type": "bool", "title": "Subscription Create", "description": "If true, the integration will create the subscription on start.", "multi": false, "required": false, "show_user": false, "default": true }, { "name": "subscription_num_goroutines", "type": "text", "title": "Subscription Num Goroutines", "description": "Number of goroutines created to read from the subscription. This does not limit the number of messages that can be processed concurrently or the maximum number of goroutines the input will create.", "multi": false, "required": false, "show_user": false, "default": 1 }, { "name": "subscription_max_outstanding_messages", "type": "text", "title": "Subscription Max Outstanding Messages", "description": "The maximum number of unprocessed messages (unacknowledged but not yet expired). If the value is negative, then there will be no limit on the number of unprocessed messages. Default is 1000.", "multi": false, "required": false, "show_user": false, "default": 1000 }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "google_scc-audit" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve google_scc.audit fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false }, { "name": "alternative_host", "type": "text", "title": "Alternative host", "description": "Overrides the default Pub/Sub service address and disables TLS. For testing.", "multi": false, "required": false, "show_user": false } ], "template_path": "gcp-pubsub.yml.hbs", "title": "Audit logs", "description": "Collect Audit logs from Google Security Command Center.", "enabled": false, "ingestion_method": "GCP Pub/Sub" } ], "package": "google_scc", "path": "audit" }, { "type": "logs", "dataset": "google_scc.finding", "title": "Collect Finding logs from Google Security Command Center.", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "url", "type": "text", "title": "Google SCC API Host", "description": "The Google SCC API Host.", "multi": false, "required": true, "show_user": false, "default": "https://securitycenter.googleapis.com" }, { "name": "api_version", "type": "select", "title": "API Version", "description": "Security Command Center API version. To check which version works best for you, see [migrate-to-v2](https://cloud.google.com/security-command-center/docs/migrate-v2-api).", "multi": false, "required": true, "show_user": true, "default": "v2" }, { "name": "location_id", "type": "text", "title": "Location ID", "description": "Location ID to fetch the findings. This option is only applicable when API Version is set to v2. If no location is specified, findings are assumed to be in global. This option helps support Security Command Center data residency feature. For supported values and more details on data residency, see [data-residency-support](https://cloud.google.com/security-command-center/docs/data-residency-support).", "multi": false, "required": false, "show_user": true }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the activities from Google SCC. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "2160h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Google SCC API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "5m" }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Batch size for the response of the Google SCC API. The maximum supported batch size value is 1000.", "multi": false, "required": true, "show_user": false, "default": 1000 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "google_scc-finding" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve google_scc.finding fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "Finding logs", "description": "Collect Finding logs from Google Security Command Center.", "enabled": false, "ingestion_method": "API" }, { "input": "gcp-pubsub", "vars": [ { "name": "topic", "type": "text", "title": "Topic", "description": "Name of the topic where the logs are written to.", "multi": false, "required": true, "show_user": true }, { "name": "subscription_name", "type": "text", "title": "Subscription Name", "description": "Use the short subscription name here, not the full-blown path with the project ID. You can find it as 'Subscription ID' on the Google Cloud Console.", "multi": false, "required": true, "show_user": true }, { "name": "subscription_create", "type": "bool", "title": "Subscription Create", "description": "If true, the integration will create the subscription on start.", "multi": false, "required": false, "show_user": false, "default": true }, { "name": "subscription_num_goroutines", "type": "text", "title": "Subscription Num Goroutines", "description": "Number of goroutines created to read from the subscription. This does not limit the number of messages that can be processed concurrently or the maximum number of goroutines the input will create.", "multi": false, "required": false, "show_user": false, "default": 1 }, { "name": "subscription_max_outstanding_messages", "type": "text", "title": "Subscription Max Outstanding Messages", "description": "The maximum number of unprocessed messages (unacknowledged but not yet expired). If the value is negative, then there will be no limit on the number of unprocessed messages. Default is 1000.", "multi": false, "required": false, "show_user": false, "default": 1000 }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "google_scc-finding" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve google_scc.finding fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false }, { "name": "alternative_host", "type": "text", "title": "Alternative host", "description": "Overrides the default Pub/Sub service address and disables TLS. For testing.", "multi": false, "required": false, "show_user": false } ], "template_path": "gcp-pubsub.yml.hbs", "title": "Finding logs", "description": "Collect Finding logs from Google Security Command Center.", "enabled": false, "ingestion_method": "GCP Pub/Sub" } ], "package": "google_scc", "path": "finding" }, { "type": "logs", "dataset": "google_scc.source", "title": "Collect Source logs from Google Security Command Center.", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "url", "type": "text", "title": "Google SCC API Host", "description": "The Google SCC API Host.", "multi": false, "required": true, "show_user": false, "default": "https://securitycenter.googleapis.com" }, { "name": "api_version", "type": "select", "title": "API Version", "description": "Security Command Center API version. To check which version works best for you, see [migrate-to-v2](https://cloud.google.com/security-command-center/docs/migrate-v2-api).", "multi": false, "required": true, "show_user": true, "default": "v2" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Google SCC API. NOTE: Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "1h" }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Batch size for the response of the Google SCC API. The maximum supported batch size value is 1000.", "multi": false, "required": true, "show_user": false, "default": 1000 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "google_scc-source" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve google_scc.source fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "Source logs", "description": "Collect Source logs from Google Security Command Center.", "enabled": false, "ingestion_method": "API" } ], "package": "google_scc", "path": "source" } ] }