Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
GCP Security Command Center Assets | ✅ | gcp_security_command_center_assets | NDJSON | GCP | |||
GCP Security Command Center Findings | ✅ | gcp_security_command_center_findings | NDJSON | GCP |
Overview
Google Cloud Security Command Center (SCC) is a comprehensive security and risk management platform for Google Cloud environments. It provides centralized visibility into your cloud assets, vulnerabilities, and threats, helping organizations proactively protect their resources. SCC offers features like asset discovery, misconfiguration detection, vulnerability scanning, and threat intelligence to identify and mitigate risks in real time. Integrated with Google services and partner tools, it empowers teams to detect, investigate, and respond to potential security issues quickly, making it a vital tool for maintaining a robust cloud security posture.
Supported data types
GCP Security Command Center Assets
Table name: gcp_security_command_center_assets
In Google Cloud Security Command Center (SCC), Assets provide a centralized view of all resources in your Google Cloud environment, offering critical insights for security and inventory management. Assets include virtual machines, storage buckets, databases, and other cloud resources, along with their metadata, configurations, and security statuses. SCC continuously monitors and updates asset information, enabling organizations to identify misconfigurations, detect vulnerabilities, and track changes over time. By consolidating this information, SCC Assets help improve visibility, enforce compliance, and enhance overall security management across cloud environments.
GCP Security Command Center Findings
Table name: gcp_security_command_center_findings
In Google Cloud Security Command Center (SCC), Findings represent potential security issues or risks identified across your Google Cloud environment. These include vulnerabilities, misconfigurations, policy violations, and active threats detected by SCC or integrated security services. Each finding provides details such as severity, affected assets, time of detection, and recommended actions, helping teams prioritize and remediate issues effectively. Findings are updated in real-time and can be filtered, grouped, and analyzed through the SCC dashboard, allowing organizations to maintain a strong security posture and quickly respond to evolving threats.
Send data to Hunters
1. Enable Security Command Center
Follow this guide to enable the Security Command Center in your GCP environment.
To allow Hunters to query the Security Command Center, enable the Security Command Center API by following this guide.
2. Create a service account
To allow Hunters to access the logs, you'll need to create a service account by following this guide.
Give the service account an indicative name such as Hunters-Service-Account.
Once the service account is created, generate a key for the service account by navigating to the service account definitions > Keys > Add Key (Create new key > JSON.
With these steps completed, logs will automatically flow into a Pub/Sub topic where they can be read by Hunters via the service account.
3. Grant the service account Security Center Viewer roles
Give the Service Account the following roles:
Security Center Assets Viewer - to allow Hunters to query the Security Command Center
Security Center Findings Viewer - To allow Hunters to query the Security Command Center
Security Center Sources Viewer - To allow Hunters to query the Security Command
⚠️ Attention
Security Center roles should be assigned at the organization level, and not at the project level.
4. Comepete the connection process on Hunters
Complete the process on the Hunters platform, following this guide.
You'll need to provide the following information:
- Your organization code (example:
123456789123) - The generated service account JSON (see an example below).
{ "type": "service_account", "project_id": "<proj_id>", "private_key_id": "<pricate_key_id>", "private_key": "-----BEGIN PRIVATE KEY-----<KEY>-----END PRIVATE KEY-----\n", "client_email": "saccount@proj_id.iam.gserviceaccount.com", "client_id": "<client_id>", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/saccount%40projid.iam.gserviceaccount.com"}
Expected format
Logs are expected in JSON format.
GCP Security Command Center Asset
{
"name": "organizations/3963029325264209/assets/308746398812035821",
"securityCenterProperties": {
"resourceName": "//cloudresourcemanager.googleapis.com/organizations/3963029325264209",
"resourceType": "google.cloud.resourcemanager.Organization",
"resourceDisplayName": "String"
},
"resourceProperties": {
"name": "organizations/3963029325264209",
"owner": "{"directoryCustomerId":"lj3h1kjg4"}",
"lifecycleState": "ACTIVE",
"creationTime": "2017-01-11T16:25:36.282Z",
"displayName": "String",
"organizationId": "3963029325264209"
},
"securityMarks": {
"name": "organizations/3963029325264209/assets/308746398812035821/securityMarks"
},
"createTime": "2021-03-23T16:08:38.087Z",
"updateTime": "2021-07-02T13:40:47.461Z",
"iamPolicy": {
"policyBlob": "BLOB"
},
"canonicalName": "organizations/3963029325264209/assets/308746398812035821"
}
GCP Security Command Center Findings
{
"name": "organizations/36580469809652/sources/1253398313409475/findings/12073ad9e75354fd123a08b526645",
"parent": "organizations/36580469809652/sources/1253398313409475",
"resourceName": "//compute.googleapis.com/projects/a-ljh7gh-iugjmb-lhfsl/zones/ZONE/instances/4097346913891",
"state": "ACTIVE",
"category": "PUBLIC_IP_ADDRESS",
"externalUri": "https://console.cloud.google.com/compute/instancesDetail/zones/ZONE/instances/sanity-checks-cluster-new-project=a-ljh7gh-iugjmb-lhfsl",
"sourceProperties": {
"Explanation": "To reduce the attack surface, avoid assigning public IP addresses to your VMs. Stopped instances may still be flagged with a Public IP finding, e.g. if the network interfaces are configured to assign an ephemeral public IP on start. Ensure the network configurations for stopped instances do not include external access.",
"ScannerName": "COMPUTE_INSTANCE_SCANNER",
"ReactivationCount": 0.0,
"VulnerableNetworkInterfaceNames": [
"hgjcfjg5"
],
"ResourcePath": [
"projects/a-ljh7gh-iugjmb-lhfsl/",
"folders/79759039084212/",
"folders/336092314767126/",
"folders/23971203997934/",
"organizations/36580469809652/"
],
"compliance_standards": {
"nist": [
{
"ids": [
"RG-5",
"KX-9"
]
}
],
"cis": [
{
"ids": [
"2.7"
],
"version": "1.2"
}
],
"pci": [
{
"ids": [
"3.7.2"
]
}
]
},
"ExceptionInstructions": "Add the security mark "allow_public_ip_address" to the asset with a value of "true" to prevent this finding from being activated again.",
"Recommendation": "If this is unintended, please go to https://console.cloud.google.com/compute/instancesDetail/zones/ZONE/instances/sanity-checks-cluster-new-w-0?project=a-ljh7gh-iugjmb-lhfsl and click "Edit". For each interface under the "Network interfaces" heading, set "External IP" to "None", then click "Done" and "Save". If you would like to learn more about securing access to your infrastructure, see https://cloud.google.com/solutions/connecting-securely."
},
"securityMarks": {
"name": "organizations/36580469809652/sources/1253398313409475/findings/12073ad9e75354fd123a08b526645/securityMarks"
},
"eventTime": "2021-12-15T12:01:24.132Z",
"createTime": "2021-12-15T12:01:24.445Z",
"severity": "HIGH",
"canonicalName": "projects/791615922681/sources/1253398313409475/findings/12073ad9e75354fd123a08b526645"
}