Google Cloud Security Command Center¶
Collects security findings from Google Cloud Security Command Center (SCC), Google's centralized security and risk management platform for GCP resources.
| Category | Cloud Security |
| Connector Name | signal-client.gcp-scc |
| Auth Method | Service Account JSON Key |
| Polling Interval | 5 min |
| Multi-Instance | Yes |
| Vendor Docs | SCC API Documentation |
Prerequisites¶
Vendor Requirements
Active Google Cloud organization with Security Command Center enabled (Standard or Premium tier). Organization-level access required.
- Active Google Cloud organization (not just a project)
- SCC Standard or Premium tier enabled
- IAM access to create service accounts
- Network: Conductor can reach
securitycenter.googleapis.comon port 443
Step 1: Create API Credentials¶
- Sign in to the Google Cloud Console at
https://console.cloud.google.com/ - Select the project where you want to create the service account
- Navigate to IAM & Admin → Service Accounts
- Click Create Service Account
- Name the account (e.g.,
witfoo-scc-reader) - Click Create and Continue
- Grant the role Security Center Findings Viewer (
roles/securitycenter.findingsViewer) - Click Done
- Select the new service account → Keys tab → Add Key → Create New Key → JSON
- Download the JSON key file
Organization-Level Access
SCC operates at the organization level, not the project level. The service account must have the Findings Viewer role granted at the organization level in IAM.
Grant Organization-Level Access¶
- Navigate to IAM & Admin → IAM at the organization level
- Click Grant Access
- Enter the service account email
- Assign role: Security Center Findings Viewer
- Click Save
Step 2: Configure in Conductor¶
- Open the Conductor UI at
https://<conductor-ip>/admin/settings/integrations - From the Add Integration dropdown, select Google Cloud SCC
- Enter a unique name for this instance
-
Fill in the settings form:
Field Value Description Organization ID <your-org-id>GCP organization numeric ID API Key (paste full JSON key) Service account JSON key content -
Set the Polling Interval (recommended: 5 minutes)
- Toggle Enabled to on
- Click Save
Finding Your Organization ID
Navigate to Cloud Identity → Account → Account Settings or run: gcloud organizations list
Step 3: Validate Data Flow¶
After saving, verify the integration is working:
- Check connection status — The integration tile should show a green status indicator within 1–2 polling cycles
-
Check Signal Client logs:
Look for successful poll messages:
-
Check artifacts in Analytics — Navigate to WitFoo Analytics Signals → Search and search for artifacts from this source
Verify Credentials Locally¶
# Test the service account key (optional, from any machine with gcloud)
gcloud auth activate-service-account --key-file=<key-file>.json
gcloud scc findings list <organization-id> --source="-" --limit=5
Troubleshooting¶
Authentication Failed (401)¶
- Verify the JSON key content was pasted correctly (including all fields)
- Ensure the service account has not been deleted or disabled
- Regenerate the key if needed
Forbidden (403)¶
- The service account likely lacks organization-level IAM binding
- Grant Security Center Findings Viewer at the organization level, not the project level
- Verify:
gcloud organizations get-iam-policy <org-id>
SCC Tier Limitations¶
- Standard tier provides limited finding types (Security Health Analytics)
- Premium tier adds Event Threat Detection, Container Threat Detection, etc.
- Check your SCC tier under Security → Security Command Center → Settings
No Data Appearing¶
- Confirm SCC is enabled at the organization level
- Enable security sources (Security Health Analytics, Event Threat Detection)
- Check Signal Client logs:
docker logs signal-client-svc --tail=100 - Verify network connectivity:
curl -I https://securitycenter.googleapis.com
See also: Integration Catalog · Integration Management · Signal Client · Common Troubleshooting