Overview
The Google Cloud Security Command Center (SCC) integration (INT-009) ingests SCC findings into CaseBender and turns them into alerts (and optionally cases).Automatic polling (pull)
CaseBender pulls new findings directly from SCC on a schedule using a service
account — no Pub/Sub notification required.
Notification webhook (push)
Alternatively, an SCC notification (via Pub/Sub + Cloud Function) forwards
findings to the CaseBender ingestion endpoint.
Polling uses the official Google Cloud SDK (
@google-cloud/security-center) to list
findings via the SCC v1 API.Capabilities
Prerequisites
1
Create a service account
In Google Cloud IAM, create a service account and download a JSON key. Grant it the
Security Center Findings Viewer role (
roles/securitycenter.findingsViewer) at the
organization or project level.2
Collect the organization or project ID
Record your numeric organization ID (recommended) or a project ID.
3
Network egress
The CaseBender poller must reach
securitycenter.googleapis.com and
oauth2.googleapis.com.Configure the integration in CaseBender
1
Open the integration catalog
Go to Settings → Integrations → Create, then choose Google Cloud SCC from the
Cloud Security category.
2
Enter GCP credentials
3
Enable automatic polling (recommended)
4
Configure auto-case creation
Inbound (automatic polling, recommended)
1
Scheduled pull
On each interval, CaseBender lists ACTIVE findings with
eventTime at/after the last cursor,
ordered by event time. On first run, findings within pollingInitialLookbackHours are
imported.2
Cursor + deduplication
CaseBender advances the cursor to the newest
eventTime. Findings are deduplicated by
finding name, so overlapping windows never create duplicates.3
Normalization
Each finding is normalized into a CaseBender alert with observables and category tags.
Polling runs in CaseBender’s background poller service. Ensure it can reach
securitycenter.googleapis.com (directly or via your proxy).Inbound (notification webhook / push)
As an alternative, an SCC notification config (Pub/Sub → Cloud Function) can POST findings to:x-api-key header. The
{ "finding": { ... }, "resource": { ... } } payload shape is expected.
Security considerations
- Least privilege — grant only Security Center Findings Viewer.
- Secret handling — the service account JSON key is stored in the integration settings; rotate it on your organization’s schedule and prefer a dedicated integration service account.
- Network — restrict egress to
securitycenter.googleapis.comandoauth2.googleapis.com.
Troubleshooting
Service account key is not valid JSON
Service account key is not valid JSON
Paste the entire JSON key file contents, including the surrounding braces.
Polling is enabled but no findings appear
Polling is enabled but no findings appear
Confirm the service account has the Findings Viewer role at the org/project you configured,
and that ACTIVE findings exist newer than the cursor. On first run only findings within
pollingInitialLookbackHours are imported.Make sure all CaseBender services are running — with Docker, docker compose ps should
show the worker and misp-processor services Up.PermissionDenied errors
PermissionDenied errors
The service account lacks
securitycenter.findings.list at the requested scope, or the
organization/project ID is incorrect.