This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

How to ingest Chokepoint findings from SCCE into SecOps?

Posted on 03-13-2025 01:55 AM
ar3diu
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

It looks like they are not collected in neither SIEM or SOAR by default. Any idea?

https://cloud.google.com/security-command-center/docs/reference/rest/v2/IssueType

Solved Solved
1 3 165
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
_K_O
Silver 1
Silver 1
In response to ar3diu
Reply posted on --/--/---- --:-- AM

My best guess is that it's the ones that start with SOAR_Connector: 

_K_O_0-1741957497327.png

That being said, you may need to reach out to your TAM to confirm which ones were set up for your project. I only have two available so I'd probably just modify both. 

 

View solution in original post

Jump to Solution
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
_K_O
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Within the Risk Overview Setting Page, there are pub subs which push the events from SCCE to SecOps SIEM/SOAR:

_K_O_0-1741871866121.png

 

If you look into the different connectors & jobs, you'll see the event types that are being pushed from SCCE. By default, it looks like a few finding classes are not included. (This doesn't account for the Threat finding_class though which confuses me).

_K_O_1-1741871924889.png

My assumption is that you would need to add the Chokepoint finding class to those queries:

 

finding_class="CHOKEPOINT"

 

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
ar3diu
Bronze 4
Bronze 4
In response to _K_O
Reply posted on --/--/---- --:-- AM

Thanks for the explanation! So, there are several exports configured and I can't figure out which one goes to SecOps. Any idea how to figure that out? Because that could point me to the filter that should also contain finding_class="CHOKEPOINT"

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
_K_O
Silver 1
Silver 1
In response to ar3diu
Reply posted on --/--/---- --:-- AM

My best guess is that it's the ones that start with SOAR_Connector: 

_K_O_0-1741957497327.png

That being said, you may need to reach out to your TAM to confirm which ones were set up for your project. I only have two available so I'd probably just modify both. 

 

Jump to Solution
0 Likes
Top Solution Authors
View all