Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
GCP V2 Security Command Center Assets | ✅ | gcp_v2_security_command_center_assets | JSON | API | |||
Gcp V2 Security Command Center Findings | ✅ | ✅ | ✅ | ✅ | gcp_v2_security_command_center_findings | JSON | API |
Overview
Google Cloud Security Command Center (SCC) V2 provides a centralized security and risk management platform for your GCP environment. It offers comprehensive visibility into your cloud assets, vulnerabilities, misconfigurations, and potential threats, enabling teams to detect, investigate, and respond to security issues more effectively.
SCC V2 also generates detailed Findings Logs that capture all security detections and related metadata such as affected resources, event context, severity levels, and evidence allowing deeper analysis, monitoring, and integration with Cloud Logging or external SIEM tools such as Hunters AI. Together, SCC V2 and its Findings Logs help organizations strengthen cloud security posture through continuous monitoring, threat detection, and enhanced incident investigation.
Additionally, SCC V2 supports automation and remediation by integrating with services such as Cloud Functions, Eventarc, and Security Orchestration tools, allowing teams to respond to findings in near real time. With customizable filters, dashboards, and export capabilities, organizations can align security monitoring with compliance requirements and operational workflows while scaling protection across complex, multi-project GCP environments.
Supported data types
GCP V2 Security Command Center Assets
Table name: gcp_v2_security_command_center_assets
The Security Command Center (SCC) v2 Assets logs in Google Cloud provide structured information about cloud resources (assets), including their identity, configuration, security posture, and lifecycle changes over time. They capture when assets are created, modified, or removed, along with relevant organizational context, enabling visibility into configuration drift and historical states. These logs are essential for continuous security monitoring, incident investigation, and compliance auditing across Google Cloud environments.
Gcp V2 Security Command Center Findings
Table name: gcp_v2_security_command_center_findings
The GCP V2 Security Command Center Findings logs provide detailed records of security findings detected across Google Cloud resources, including misconfigurations, vulnerabilities, policy violations, and potential threats. Each finding includes severity, category, affected assets, and status changes over time, enabling teams to track remediation progress and assess risk. These logs are critical for security monitoring, incident response, and compliance, helping organizations quickly identify, prioritize, and respond to security issues across their cloud environment.
Send data to Hunters
1. Enable Security Command Center
Follow this guide to enable the Security Command Center in your GCP environment.
To allow Hunters to query the Security Command Center, enable the Security Command Center API by following this guide.
2. Create a service account
To allow Hunters to access the logs, you'll need to create a service account by following this guide.
Give the service account an indicative name such as Hunters-Service-Account.
Once the service account is created, generate a key for the service account by navigating to the service account definitions > Keys > Add Key (Create new key > JSON.
With these steps completed, logs will automatically flow into a Pub/Sub topic where they can be read by Hunters via the service account.
3. Grant the service account Security Center Viewer roles
Give the Service Account the following roles:
Security Center Assets Viewer - to allow Hunters to query the Security Command Center (assets)
Security Center Findings Viewer - To allow Hunters to query the Security Command Center (findings)
Security Center Sources Viewer - To allow Hunters to query the Security Command (sources)
⚠️ Attention
Security Center roles should be assigned at the organization level, and not at the project level.
4. Complete the connection process on Hunters
Complete the process on the Hunters platform, following this guide.
You'll need to provide the following information:
- Your organization code (example:
123456789123) - The generated service account JSON (see an example below).
{ "type": "service_account", "project_id": "<proj_id>", "private_key_id": "<pricate_key_id>", "private_key": "-----BEGIN PRIVATE KEY-----<KEY>-----END PRIVATE KEY-----\n", "client_email": "saccount@proj_id.iam.gserviceaccount.com", "client_id": "<client_id>", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/saccount%40projid.iam.gserviceaccount.com"}
Expected format
Logs are expected in JSON format.
GCP V2 Security Command Center Assets
{
"name": "//logging.example.com/folders/123456/sinks/_Default",
"assetType": "logging.example.com/LogSink",
"ancestors": [
"folders/123456",
"folders/12345",
"organizations/1212121"
],
"updateTime": "2024-08-28T18:19:11.238269662Z",
"snapshot_time": "2025-06-10T08:20:57.004360+00:00"
}Gcp V2 Security Command Center Findings
{
"finding": {
"name": "organizations/XXXXX/sources/XXXXX/locations/global/findings/abcd123X",
"parent": "organizations/abcd123XXX/sources/XXXXXXXX/locations/global",
"resourceName": "//cloudresourcemanager.example.com/organizations/XXXXXX",
"state": "ACTIVE",
"category": "Persistence: New Geography",
"externalUri": "",
"sourceProperties": [
"{\"sourceId\":{\"projectNumber\":\"XXXXXX\",\"customerOrganizationNumber\":\"XXXXXX\"}}",
"{\"detectionCategory\":{\"technique\":\"persistence\",\"indicator\":\"audit_log\",\"ruleName\":\"iam_anomalous_behavior\",\"subRuleName\":\"ip_geolocation\"}}",
"{\"detectionPriority\":\"LOW\"}",
"{\"affectedResources\":[{\"gcpResourceName\":\"//cloudresourcemanager.example.com/projects/XXXXXX\"}]}",
"{\"evidence\":[{\"sourceLogId\":{\"projectId\":\"masked-project\",\"resourceContainer\":\"projects/masked-project\",\"timestamp\":{\"seconds\":\"0000000000\",\"nanos\":000000000},\"insertId\":\"XXXXXXXX\",\"logId\":\"cloudaudit.googleapis.com/activity\"}}]}",
"{\"properties\":{\"anomalousLocation\":{\"anomalousLocation\":\"XX\",\"callerIp\":\"XX.XX.XX.XX\",\"principalEmail\":\"masked_user@example.com\",\"notSeenInLast\":\"2592000s\",\"typicalGeolocations\":[{\"country\":{\"identifier\":\"IN\"}},{\"country\":{\"identifier\":\"US\"}}]}}}",
"{\"findingId\":\"abcd123abcd123abcd123X\"}",
"{\"contextUris\":{\"mitreUri\":{\"displayName\":\"MITRE Link\",\"url\":\"https://attack.mitre.org/techniques/T1078/004/\"},\"cloudLoggingQueryUri\":[{\"displayName\":\"Cloud Logging Query Link\",\"url\":\"https://console.cloud.google.com/logs/query;query=timestamp%3D%220000-00-00T00:00:00Z%22%0AinsertId%3D%22XXXXXX%22?project=masked-project\"}],\"relatedFindingUri\":{}}}"
],
"securityMarks": "{\"name\":\"organizations/abcd123XXX/sources/abcd123abcd123XX/locations/global/findings/abcd123abcd123XXXXXX/securityMarks\",\"marks\":[]}",
"eventTime": "0000-00-00T00:00:00Z",
"createTime": "0000-00-00T00:00:00Z",
"severity": "LOW",
"canonicalName": "organizations/abcd123XXX/sources/abcd123abcd123XX/locations/global/findings/abcd123abcd123XXXXXX",
"mute": "UNDEFINED",
"findingClass": "THREAT",
"launchState": "LAUNCH_STATE_GENERAL_AVAILABILITY",
"indicator": "{\"ipAddresses\":[],\"domains\":[],\"signatures\":[],\"uris\":[]}",
"dataProtectionKeyGovernance": "{\"violations\":[]}",
"vertexAi": "{\"datasets\":[],\"pipelines\":[]}",
"muteUpdateTime": "1970-01-01T00:00:00Z",
"muteInitiator": "",
"muteInfo": "{\"staticMute\":{\"state\":\"UNDEFINED\",\"applyTime\":\"1970-01-01T00:00:00Z\"},\"dynamicMuteRecords\":[]}",
"contacts": [
"{\"key\":\"security\",\"value\":{\"contacts\":[{\"email\":\"security-masked@example.com\"}]}}",
"{\"key\":\"technical\",\"value\":{\"contacts\":[{\"email\":\"tech-masked@example.com\"}]}}"
],
"externalSystems": [],
"access": "{\"principalEmail\":\"masked_user@example.com\",\"callerIp\":\"XX.XX.XX.XX\",\"callerIpGeo\":{\"regionCode\":\"XX\"},\"userAgent\":\"masked-user-agent\",\"userAgentFamily\":\"\",\"serviceName\":\"bigquery.googleapis.com\",\"methodName\":\"google.cloud.bigquery.v2.JobService.InsertJob\",\"principalSubject\":\"\",\"serviceAccountKeyName\":\"\",\"serviceAccountDelegationInfo\":[],\"userName\":\"\"}",
"mitreAttack": "{\"primaryTactic\":\"PERSISTENCE\",\"primaryTechniques\":[\"VALID_ACCOUNTS\",\"CLOUD_ACCOUNTS\"],\"additionalTactics\":[],\"additionalTechniques\":[],\"version\":\"\"}",
"description": "",
"compliances": [],
"iamBindings": [],
"nextSteps": "",
"connections": [],
"exfiltration": "{\"sources\":[],\"targets\":[],\"totalExfiltratedBytes\":\"0\"}",
"processes": [],
"containers": [],
"kubernetes": "{\"pods\":[],\"nodes\":[],\"nodePools\":[],\"roles\":[],\"bindings\":[],\"accessReviews\":[],\"objects\":[]}",
"parentDisplayName": "Event Threat Detection",
"moduleName": "",
"vulnerability": "{\"cve\":{\"id\":\"\",\"references\":[],\"cvssv3\":{\"baseScore\":0,\"attackVector\":\"ATTACK_VECTOR_UNSPECIFIED\",\"attackComplexity\":\"ATTACK_COMPLEXITY_UNSPECIFIED\",\"privilegesRequired\":\"PRIVILEGES_REQUIRED_UNSPECIFIED\",\"userInteraction\":\"USER_INTERACTION_UNSPECIFIED\",\"scope\":\"SCOPE_UNSPECIFIED\",\"confidentialityImpact\":\"IMPACT_UNSPECIFIED\",\"integrityImpact\":\"IMPACT_UNSPECIFIED\",\"availabilityImpact\":\"IMPACT_UNSPECIFIED\"},\"upstreamFixAvailable\":false,\"impact\":\"RISK_RATING_UNSPECIFIED\",\"exploitationActivity\":\"EXPLOITATION_ACTIVITY_UNSPECIFIED\",\"observedInTheWild\":false,\"zeroDay\":false,\"exploitReleaseDate\":\"1970-01-01T00:00:00Z\",\"firstExploitationDate\":\"1970-01-01T00:00:00Z\"},\"offendingPackage\":{\"packageName\":\"\",\"cpeUri\":\"\",\"packageType\":\"\",\"packageVersion\":\"\"},\"fixedPackage\":{\"packageName\":\"\",\"cpeUri\":\"\",\"packageType\":\"\",\"packageVersion\":\"\"},\"securityBulletin\":{\"bulletinId\":\"\",\"submissionTime\":\"1970-01-01T00:00:00Z\",\"suggestedUpgradeVersion\":\"\"}}",
"database": "{\"name\":\"\",\"displayName\":\"\",\"userName\":\"\",\"query\":\"\",\"grantees\":[],\"version\":\"\"}",
"dataAccessEvents": [],
"dataFlowEvents": [],
"dataRetentionDeletionEvents": [],
"attackExposure": "{\"score\":0,\"latestCalculationTime\":\"1970-01-01T00:00:00Z\",\"attackExposureResult\":\"\",\"state\":\"STATE_UNSPECIFIED\",\"exposedHighValueResourcesCount\":0,\"exposedMediumValueResourcesCount\":0,\"exposedLowValueResourcesCount\":0}",
"files": [],
"orgPolicies": [],
"ipRules": "{\"direction\":\"DIRECTION_UNSPECIFIED\",\"allowed\":{\"ipRules\":[]},\"denied\":{\"ipRules\":[]},\"sourceIpRanges\":[],\"destinationIpRanges\":[],\"exposedServices\":[]}",
"kernelRootkit": "{\"name\":\"\",\"unexpectedCodeModification\":false,\"unexpectedReadOnlyDataModification\":false,\"unexpectedFtraceHandler\":false,\"unexpectedKprobeHandler\":false,\"unexpectedKernelCodePages\":false,\"unexpectedSystemCallHandler\":false,\"unexpectedInterruptHandler\":false,\"unexpectedProcessesInRunqueue\":false}",
"backupDisasterRecovery": "{\"backupTemplate\":\"\",\"policies\":[],\"host\":\"\",\"applications\":[],\"storagePool\":\"\",\"policyOptions\":[],\"profile\":\"\",\"appliance\":\"\",\"backupType\":\"\",\"backupCreateTime\":\"1970-01-01T00:00:00Z\"}",
"apigee": "{\"organization\":\"\",\"environment\":\"\",\"securityProfileId\":\"\"}",
"disk": "{\"name\":\"\"}",
"risks": [],
"loadBalancers": [],
"deactivationReason": "{\"reason\":\"REASON_UNSPECIFIED\"}",
"domains": [],
"affectedResources": "{\"count\":\"0\"}",
"aiModel": "{\"name\":\"\",\"domain\":\"\",\"library\":\"\",\"location\":\"\",\"publisher\":\"\",\"deploymentPlatform\":\"DEPLOYMENT_PLATFORM_UNSPECIFIED\",\"displayName\":\"\"}",
"cloudDlpInspection": "{\"inspectJob\":\"\",\"infoType\":\"\",\"infoTypeCount\":\"0\",\"fullScan\":false}",
"caiResource": "",
"cloudDlpDataProfile": "{\"dataProfile\":\"\"}",
"application": "{\"baseUri\":\"\",\"fullUri\":\"\"}",
"securityPosture": "{\"name\":\"\",\"revisionId\":\"\",\"policyDriftDetails\":[],\"policySet\":\"\",\"postureDeploymentResource\":\"\",\"postureDeployment\":\"\",\"changedPolicy\":\"\"}",
"logEntries": [
"{\"cloudLoggingEntry\":{\"insertId\":\"XXXXXXXX\",\"logId\":\"cloudaudit.googleapis.com/activity\",\"resourceContainer\":\"projects/masked-project\",\"timestamp\":\"0000-00-00T00:00:00Z\"}}"
],
"cloudArmor": "{\"securityPolicy\":{\"name\":\"\",\"type\":\"\",\"preview\":false},\"requests\":{\"ratio\":0,\"shortTermAllowed\":0,\"longTermAllowed\":0,\"longTermDenied\":0},\"adaptiveProtection\":{\"confidence\":0},\"attack\":{\"volumePps\":0,\"volumeBps\":0,\"classification\":\"\"},\"threatVector\":\"\",\"duration\":\"0s\"}",
"notebook": "{\"name\":\"\",\"service\":\"\",\"lastAuthor\":\"\",\"notebookUpdateTime\":\"1970-01-01T00:00:00Z\"}",
"toxicCombination": "{\"attackExposureScore\":0,\"relatedFindings\":[]}",
"groupMemberships": [],
"networks": [],
"chokepoint": "{\"relatedFindings\":[]}",
"remediationDetails": "{\"remediationIntent\":\"\",\"repositoryUri\":\"\",\"pullRequestUri\":\"\",\"remediationExplanation\":\"\",\"remediationState\":\"REMEDIATION_STATE_UNSPECIFIED\",\"remediationError\":\"\",\"prGenerationTime\":\"1970-01-01T00:00:00Z\",\"owner\":\"\"}",
"artifactGuardPolicies": "{\"resourceId\":\"\",\"failingPolicies\":[]}",
"complianceDetails": "{\"frameworks\":[],\"cloudControl\":{\"cloudControlName\":\"\",\"type\":\"CLOUD_CONTROL_TYPE_UNSPECIFIED\",\"policyType\":\"\",\"version\":0},\"cloudControlDeploymentNames\":[]}"
},
"resource": "{\"name\":\"//cloudresourcemanager.googleapis.com/organizations/abcd123XXX\",\"displayName\":\"masked-org\",\"type\":\"google.cloud.resourcemanager.Organization\",\"cloudProvider\":\"GOOGLE_CLOUD_PLATFORM\",\"service\":\"cloudresourcemanager.example.com\",\"location\":\"\",\"gcpMetadata\":{\"project\":\"\",\"projectDisplayName\":\"\",\"parent\":\"\",\"parentDisplayName\":\"\",\"folders\":[],\"organization\":\"organizations/abcd123XXX\"},\"awsMetadata\":{\"organization\":{\"id\":\"\"},\"organizationalUnits\":[],\"account\":{\"id\":\"\",\"name\":\"\"}},\"azureMetadata\":{\"tenant\":{\"id\":\"\",\"displayName\":\"\"},\"managementGroups\":[],\"subscription\":{\"id\":\"\",\"displayName\":\"\"},\"resourceGroup\":{\"name\":\"\"}},\"resourcePath\":{\"nodes\":[{\"nodeType\":\"GCP_ORGANIZATION\",\"id\":\"organizations/abcd123XXX\",\"displayName\":\"\"}]},\"resourcePathString\":\"organizations/abcd123XXX\",\"application\":{\"name\":\"\",\"attributes\":{\"criticality\":{\"type\":\"CRITICALITY_TYPE_UNSPECIFIED\"},\"environment\":{\"type\":\"ENVIRONMENT_TYPE_UNSPECIFIED\"},\"developerOwners\":[],\"operatorOwners\":[],\"businessOwners\":[]}}}"
}