Google Security Command Center(SCC) Integration

Google Security Command Center Integration

Google Cloud Security Command Center (SCC) is Google Cloud's centralized security and risk management platform. It provides threat detection, vulnerability assessment, and compliance monitoring across your Google Cloud environment.

Since SCC does not support direct outbound webhook calls, notifications are routed through Google Cloud's Pub/Sub messaging service. A Cloud Function acts as the middleware: it receives the Pub/Sub message, decodes the Base64-encoded payload, and forwards the raw SCC JSON directly to the platform's webhook endpoint. The platform then processes the payload using JSONPath-based priority mapping to create and manage alerts.

Integration Flow

SCC Finding → Pub/Sub Topic → Cloud Function → HTTP POST → Platform Webhook

1. Google SCC detects a security finding (e.g., a misconfiguration or active threat) in your cloud environment.

2. The SCC Continuous Export publishes the finding to a Pub/Sub topic.

3. The Cloud Function is triggered by the Pub/Sub topic, decodes the Base64-encoded message, and forwards the raw JSON payload to the platform webhook without any transformation.

4. The platform receives the payload, evaluates the finding.severity field via JSONPath, maps it to the internal priority scale, and creates or resolves the alert accordingly.

Provider Configuration

The platform uses JSONPath-based priority mapping to extract the severity value directly from the raw SCC payload.

Priority Mapping Config:

{
  "priority": {
    "field": "$.finding.severity",
    "options": [
      { "value": "CRITICAL", "label": "Critical" },
      { "value": "HIGH", "label": "High" },
      { "value": "MEDIUM", "label": "Medium" },
      { "value": "LOW", "label": "Low" }
    ],
    "mapping": {
      "CRITICAL": "CRITICAL",
      "HIGH": "HIGH",
      "MEDIUM": "MEDIUM",
      "LOW": "LOW"
    }
  }
}

Status (Event Type) Mapping:

Fingerprint (Correlation) Field: $.finding.name

SCC assigns a unique finding.name to each finding. The platform uses this field to correlate ACTIVE and INACTIVE events — both payloads must contain the identical finding.name value for recovery to work correctly.

Webhook Payload Schema

Alert Payload Examples

Raised (ACTIVE)

This payload is delivered when SCC detects a new security finding. The finding.state field is ACTIVE.

— ACTIVE payload received at webhook.site

Cleared (INACTIVE)

This payload is delivered when a finding is resolved. The finding.state field changes to INACTIVE.

— INACTIVE payload received at webhook.site

Important: The finding.name value must be identical in both ACTIVE and INACTIVE payloads. The platform uses this field to match the recovery event to the original alert.

Installation & Configuration

Step 1: Create an Alert Source in the Platform

1. Log in to the alert management platform.

2. Navigate to Integrations → Add Integration.

3. Select Google Security Command Center as the provider.

4. Name the integration (e.g., Production GCP Security).

5. Save and copy the generated Webhook URL and Token.

Step 2: Create a Pub/Sub Topic

1. In Google Cloud Console, search for Pub/Sub in the search bar and navigate to the service.

— Pub/Sub Topics page

1. Click + Create Topic.

2. Set the Topic ID to scc-alerts-topic.

3. Leave "Add a default subscription" checked.

4. Click Create.

The topic detail page will confirm creation. The full topic path is shown as projects/YOUR_PROJECT_ID/topics/scc-alerts-topic and the default subscription scc-alerts-topic-sub will appear under the Subscriptions tab.

— scc-alerts-topic created with default subscription visible

Step 3: Create a Continuous Export in SCC

SCC Continuous Export sends all findings matching your filter to the Pub/Sub topic automatically.

Organization Requirement: This step requires Organization-level access in Google Cloud. If your account does not have an organization (e.g., personal or trial projects), skip to the Testing section and use the manual Pub/Sub publish method to validate the integration end-to-end.

1. Navigate to Security Command Center in Google Cloud Console.

2. Go to Settings → Continuous Exports from the left menu.

3. Click + Create Export and configure the following:

   • Name: scc-to-webhook

   • Project: Select the project where your Pub/Sub topic was created

   • Pub/Sub topic: scc-alerts-topic

   • Filter: Leave empty to receive all findings

   Important: If you set state="ACTIVE" as a filter, only new findings will be published to Pub/Sub. INACTIVE (recovery) events will not be sent, and the platform will never receive recovery notifications. Leave the filter empty to receive both ACTIVE and INACTIVE events.

4. Click Save.

Step 4: Deploy the Cloud Function

The Cloud Function receives Pub/Sub messages, decodes the Base64 payload, and forwards the raw SCC JSON to the platform webhook.

4.1 — Navigate to Cloud Functions

Search for Cloud Functions in the Google Cloud Console search bar and click on Cloud Run functions in the results.

— Cloud Functions search result 4.2 — Create the Service

Click + Create Function. On the Create service page:

• Select "Use an inline editor to create a function"

• Service name: scc-webhook-forwarder

• Region: europe-west1 (or the same region as your Pub/Sub topic)

• Runtime: Node.js 24

— Create service form with Function option selected 4.3 — Configure the Pub/Sub Trigger

Click + Add trigger and select Cloud Pub/Sub from the dropdown. The Eventarc trigger panel will open.

If prompted to Enable required APIs, click Enable and wait for the Eventarc API to activate.

In the Eventarc trigger panel:

• Event provider: Cloud Pub/Sub (already set)

• Event type: google.cloud.pubsub.topic.v1.messagePublished (already set)

• Select a Cloud Pub/Sub topic: Choose scc-alerts-topic

• Click Grant on the IAM role warning to allow Pub/Sub to create identity tokens

Click Save trigger.

The trigger configuration will now show the connected topic and service account.

— Eventarc trigger configured with scc-alerts-topic The full service configuration page with trigger, runtime, and authentication settings will be visible before deployment.

— Complete service configuration ready for deployment Click Create.

4.4 — Add the Function Code

After the service is created, the Source tab will open with the inline code editor.

• Set the Function entry point to forwardSccToWebhook

• Replace the contents of index.js with the following code:

Replace https://YOUR_PLATFORM_WEBHOOK_URL_HERE with the Webhook URL copied from Step 1.

Click Save and redeploy. Wait for all deployment steps to show green checkmarks.

— Cloud Function deployed successfully with green tick, entry point forwardSccToWebhook visible

Testing

Option A — Manual Pub/Sub Publish (Recommended)

This method bypasses SCC entirely and tests the Cloud Function → Webhook path directly. It works regardless of whether you have Organization-level access.

Open Cloud Shell from the Google Cloud Console toolbar and run the following commands:

ACTIVE — Create an alert:

INACTIVE — Send recovery:

Each command returns a messageIds array confirming the message was published to Pub/Sub.

— Cloud Shell with INACTIVE test command and messageIds response

Option B — Verify via Cloud Function Logs

Navigate to Cloud Run → scc-webhook-forwarder → Observability → Logs.

Confirm the following log lines appear after each test message:

• SCC finding received: {"finding":{"name":"projects/testproject-123456...

• Webhook response: 200

— Cloud Function Logs showing SCC finding received and Webhook response: 200

Verify Alert Trigger (ACTIVE)

After the ACTIVE message is published, the platform webhook receives the full SCC JSON payload.

— webhook.site showing ACTIVE payload with state: "ACTIVE" and full JSON body Verify in the platform:

• A new alert was created with Status: PROBLEM

• The alert title reflects finding.category (TEST_OPEN_FIREWALL)

• The severity mapped correctly: HIGH → High

Verify Recovery (INACTIVE)

After the INACTIVE message is published, the platform receives the recovery payload.

— webhook.site showing INACTIVE payload with state: "INACTIVE" and matching finding.name Verify in the platform:

• The existing alert transitioned to Status: RECOVERY

• The finding.name matched the original ACTIVE alert for correct correlation

Verification Checklist

• An ACTIVE finding payload was received by the platform (status: PROBLEM).

• The payload contains the correct finding.category, finding.severity, and resource.projectDisplayName.

• An INACTIVE finding payload was received after resolution (status: RECOVERY).

• The finding.name field is identical in both ACTIVE and INACTIVE payloads — correlation is working.

• Cloud Function logs show no errors and Webhook response: 200 for each delivery.

Troubleshooting