Skip to main content

Overview

The Google Cloud Security Command Center (SCC) integration (INT-009) ingests SCC findings into CaseBender and turns them into alerts (and optionally cases).

Automatic polling (pull)

CaseBender pulls new findings directly from SCC on a schedule using a service account — no Pub/Sub notification required.

Notification webhook (push)

Alternatively, an SCC notification (via Pub/Sub + Cloud Function) forwards findings to the CaseBender ingestion endpoint.
Recommended: enable Automatic polling. It requires only a read-only service account and no inbound endpoint. See Automatic polling.
Polling uses the official Google Cloud SDK (@google-cloud/security-center) to list findings via the SCC v1 API.

Capabilities

Prerequisites

1

Create a service account

In Google Cloud IAM, create a service account and download a JSON key. Grant it the Security Center Findings Viewer role (roles/securitycenter.findingsViewer) at the organization or project level.
2

Collect the organization or project ID

Record your numeric organization ID (recommended) or a project ID.
3

Network egress

The CaseBender poller must reach securitycenter.googleapis.com and oauth2.googleapis.com.

Configure the integration in CaseBender

1

Open the integration catalog

Go to Settings → Integrations → Create, then choose Google Cloud SCC from the Cloud Security category.
2

Enter GCP credentials

3

Enable automatic polling (recommended)

4

Configure auto-case creation

1

Scheduled pull

On each interval, CaseBender lists ACTIVE findings with eventTime at/after the last cursor, ordered by event time. On first run, findings within pollingInitialLookbackHours are imported.
2

Cursor + deduplication

CaseBender advances the cursor to the newest eventTime. Findings are deduplicated by finding name, so overlapping windows never create duplicates.
3

Normalization

Each finding is normalized into a CaseBender alert with observables and category tags.
Polling runs in CaseBender’s background poller service. Ensure it can reach securitycenter.googleapis.com (directly or via your proxy).

Inbound (notification webhook / push)

As an alternative, an SCC notification config (Pub/Sub → Cloud Function) can POST findings to:
Requests are authenticated with the integration API key in the x-api-key header. The { "finding": { ... }, "resource": { ... } } payload shape is expected.

Security considerations

  • Least privilege — grant only Security Center Findings Viewer.
  • Secret handling — the service account JSON key is stored in the integration settings; rotate it on your organization’s schedule and prefer a dedicated integration service account.
  • Network — restrict egress to securitycenter.googleapis.com and oauth2.googleapis.com.

Troubleshooting

Paste the entire JSON key file contents, including the surrounding braces.
Confirm the service account has the Findings Viewer role at the org/project you configured, and that ACTIVE findings exist newer than the cursor. On first run only findings within pollingInitialLookbackHours are imported.Make sure all CaseBender services are running — with Docker, docker compose ps should show the worker and misp-processor services Up.
The service account lacks securitycenter.findings.list at the requested scope, or the organization/project ID is incorrect.