Collect Nucleus Security - Nucleus Unified Vulnerability Management logs

This document explains how to ingest Nucleus Security - Nucleus Unified Vulnerability Management logs to Google Security Operations using Amazon S3.

Nucleus Security provides a unified vulnerability management platform that aggregates and enriches vulnerability data from 150+ security tools, asset inventories, and threat intelligence sources. The platform enables organizations to prioritize and remediate critical exposures at scale through automated workflows, risk-based prioritization, and comprehensive reporting.

Before you begin

Make sure you have the following prerequisites:

• A Google SecOps instance
• Privileged access to Nucleus Security console with connector configuration permissions
• Privileged access to AWS (S3, IAM)

Configure Nucleus Security

To configure Nucleus Security to export vulnerability and asset data to S3, you must first set up the AWS connector in your Nucleus project.

1. Sign in to your Nucleus Security console.
2. Go to Integration Hub > Connector Setup.
3. Select Amazon Web Services.
4. In the Name field, enter a name for the connector (for example, Chronicle S3 Export).
5. In the Description field, enter a description for this connector (for example, Export to Chronicle via S3).
6. In the Authentication section, note the AWS External ID and AWS Account values displayed. You will use these values when creating the cross-account role in AWS.
7. Leave this page open. You will return to complete the configuration after setting up AWS resources.

Configure AWS S3 bucket and IAM for Google SecOps

1. Create Amazon S3 bucket following this user guide: Creating a bucket
2. Save bucket Name and Region for future reference (for example, nucleus-chronicle-export).
3. Create a User following this user guide: Creating an IAM user.
4. Select the created User.
5. Select Security credentials tab.
6. Click Create Access Key in section Access Keys.
7. Select Third-party service as Use case.
8. Click Next.
9. Optional: Add description tag.
10. Click Create access key.
11. Click Download .csv file to save the Access Key and Secret Access Key for future reference.
12. Click Done.
13. Select Permissions tab.
14. Click Add permissions in section Permissions policies.
15. Select Add permissions.
16. Select Attach policies directly.
17. Search for AmazonS3FullAccess policy.
18. Select the policy.
19. Click Next.
20. Click Add permissions.

Create cross-account role for Nucleus

1. In the AWS console, go to IAM > Roles > Create role.
2. Select AWS account as the trusted entity type.
3. Select Another AWS account.
4. In the Account ID field, enter the AWS Account value you noted from the Nucleus connector setup page.
5. Select Require external ID.
6. In the External ID field, enter the AWS External ID value you noted from the Nucleus connector setup page.
7. Click Next.
8. Search for and select AmazonS3FullAccess policy.
9. Click Next.
10. In the Role name field, enter NucleusAWSConnectorRole.
11. Click Create role.
12. Select the newly created NucleusAWSConnectorRole role.
13. Copy the ARN value (for example, arn:aws:iam::123456789012:role/NucleusAWSConnectorRole). You will use this in the next section.

Configure Nucleus Security Amazon S3 connection

1. Return to the Nucleus Security console where you left the AWS connector configuration page open.
2. In the Authentication section, click the green plus button to add a new AWS role.
3. In the Label field, enter a label for the role (for example, Chronicle Export Role).
4. In the Role ARN field, enter the Amazon Resource Name (ARN) for the role you created in the previous section.
5. Click Verify Credentials.
6. Wait for the message confirming a successful connection to appear.
7. In the S3 Data Upload section, select the checkbox to enable uploading asset and finding data to S3 buckets.
8. In the S3 Bucket Name field, enter the name of the S3 bucket you created (for example, nucleus-chronicle-export).
9. In the S3 Bucket Region dropdown, select the region matching your S3 bucket.
10. In the AWS Access Key ID field, enter the access key you saved in step 11 of the AWS configuration.
11. In the AWS Secret Access Key field, enter the secret key you saved in step 11 of the AWS configuration.

12. Click Save & Finish.

Configure a feed in Google SecOps to ingest Nucleus Security logs

1. Go to SIEM Settings > Feeds.
2. Click Add New Feed.
3. On the next page, click Configure a single feed.
4. Enter a unique name for the Feed name.
5. Select Amazon S3 V2 as the Source type.
6. Select Nucleus Security - Nucleus Unified Vulnerability Management as the Log type.
7. Click Next and then click Submit.

8. Specify values for the following fields:

   • S3 URI: s3://nucleus-chronicle-export/
   • Source deletion option: Select the deletion option according to your preference
   • Maximum File Age: Include files modified in the last number of days (default is 180 days)
   • Access Key ID: User access key with access to the S3 bucket
   • Secret Access Key: User secret key with access to the S3 bucket
   • Asset namespace: The asset namespace
   • Ingestion labels: The label to be applied to the events from this feed

9. Click Next and then click Submit.

UDM mapping table

Need more help? Get answers from Community members and Google SecOps professionals.