Google Security Command Center

Security Command Center is Google Cloud's centralized vulnerability and threat reporting service. Security Command Center helps you strengthen your security posture by evaluating your security and data attack surface; providing asset inventory and discovery; identifying misconfigurations, vulnerabilities and threats; and helping you mitigate and remediate risks.

For more information refer to Google Cloud Command Center official documentation.

Integration Method: API

Tables: Compliance Finding (2003), Detection Finding (2004), Vulnerability Finding (2002)

This integration supports the following events.

This integration supports the following versions.

Note:

As of this document preparation, latest release was on March 14, 2025.

Prerequisites

• The user should have access to the Google Cloud Platform (GCP) console and ensure Google Security Command Center (SCC) is activated at the organization level.

• The user should generate or access service account credentials to authenticate REST API calls. To create a service account, open the Service accounts page in GCP, select or create a project, and click Create service account.

• The user should have access to the DataBee console.

Configuration Overview

1. Generate a service account with the required scopes and its private key.

2. Add the Security Command Center (SCC) data feed in the DataBee console with the below parameters.

   DataBee Parameter	Security Command Center (SCC) Parameter
   Client Email	Service account email id
   Admin Email	Domain admin email id
   Private Key	Private Key

Google Security Command Center Configuration

Setting Up the New Project

1. Login to your Google Cloud Platform console.

2. On your console, click on your organization name in the Navigation bar.
    

3. On “Select a resource” window click on NEW PROJECT.
    

4. On the “New Project” window, enter your project name and click on Create.
    

Setting Up the service account

Perform the following steps to set up Google Workspace credentials on your Google console:

1. Navigate to console.cloud.google.com, and log into the Google account where you want to set up your Google Workspace credentials.
    

2. Navigate to APIs & Services > Enabled APIs & services.
    

3. Click on the search bar.
    

4. Search for the Admin SDK API. Select the Admin SDK API.
    

5. In “Admin SDK API”, select the ENABLE button to enable the Admin SDK API. Making calls to this API lets you view and manage resources such as user, groups, and audit and usage reports of your domain.
    

6. Navigate to IAM & Admin > Service Accounts.
    

7. In the Service Accounts page, select CREATE SERVICE ACCOUNT > Service Accounts.
    

8. In “Create service account” page, perform the following steps:

   1. Name your service account and select CREATE AND CONTINUE.

   2. Grant your service account access to a project.

   3. Select Continue.

   4. Grant users access to your service account.

   5. Select DONE.

   

Plan activation of Google Security Command Center

1. Login to your Google Cloud Platform console.

2. Select the organization that you want to enable Security Command Center for, and then click Select.

3. Click on Security > Risk Overview.
    

4. In Select tier, select a tier. Click Next.
    

5. Click On UPDATE YOUR TIER.
    

6. After ensuring that the Google SCC service is activated on an organization-level, we need to get the service account's credentials for accessing the service via REST calls.

Getting Client ID and Private Key

1. In Credentials, navigate to your new service account name, and select your new service account name.

2. In the “Service account details” page for your new service account, perform the following steps:

   1. Navigate to the Unique ID, and copy the contents of the Unique ID.

   2. This is also your Client ID.
       

   3. Navigate to the KEYS tab.

   4. Select ADD KEY > Create new key.
       

   5. Select the JSON key type and click CREATE.
       

   6. Save the key type as JSON file to your selected directory. Below is the sample private key.
       
      

      Note:

      Your new public/private key pair is generated and downloaded to your machine, and it serves as the only copy of this key. Kindly store it in a secure place.

Setting Up Domain Wide Delegation

1. Navigate to admin.google.com.

2. Navigate to Security > Access and data control > API controls.
    

3. In “API Controls” page, navigate to Domain wide delegation, and select MANAGE DOMAIN WIDE DELEGATION.
    

4. In “Domain-wide Delegation” page, select Add new to add a new client ID.
    

5. In the “Add a new client ID” window, perform the following steps:

   1. In the ‘Client ID’ field, paste the Client ID that is present under client_id key of the private key file of the service account.

   2. In the ‘OAuth scopes (comma-delimited)’ field, add the following read-only scope to fetch users, deleted users, roles, and mobile devices data:

      1. https://www.googleapis.com/auth/cloud-platform

   

Assign IAM Roles to Service Account

To assign roles to the newly created service account, follow below steps:

1. Go to the Google Cloud Console and open Google Cloud Console.

2. In the left-hand navigation pane, click on IAM & Admin.

3. Then select IAM.

4. Ensure you have selected the correct organization from the project/organization selector at the top of the page.

5. Click on the Add button at the top of the IAM page.
    

6. Click on GRANT ACCESS.
    

7. In the ‘New members’ field, enter the email address of the service account you created.

8. In the ‘Select a role’ dropdown, choose the appropriate role(s) you want to assign to the service account. You can search for roles or browse through the categories. The roles mentioned below are the minimum required roles for accessing Google SCC API.

   • Organization Admin

   • Security Center Admin Viewer

9. Click the SAVE button to apply the role to the service account.

    

DataBee Configuration

1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
    

2. Search for the Google Security Command Center option using the search bar in the “Add new data feed” page.

   
   

3. Click on the API Ingest option for the collection method.
    

4. Enter feed contact information and click Next.
    

5. In the configuration details dialog, enter the following:

   • Authorization Method: Google OAuth2

   • API Base URL: replace the <instance> placeholder with value based on the location of your GCP account as listed below.

     • global: securitycenter

     • me-central-2: securitycenter.me-central2.rep

   • Organization ID: enter the org id. Refer to link for more information.

   • Token URL: enter https://oauth2.googleapis.com/token

   • Private Key: paste the private key inside the Service Account JSON file downloaded earlier.

   • Client Email: enter the email address during the service account creation process.

     Example:

     • Correct Format: MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAA

     • Incorrect Format: -----BEGIN PRIVATE KEY----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAA\n-----END PRIVATE KEY-----\n

   • Admin Email: enter the email address of the user for which the application is requesting delegated access. If there is no domain-wide authority delegated to the service account, enter the same email as entered in the Client Email field.

   

6. Click Submit.

Troubleshooting Tips

• If you’re facing invalid_client or unauthorized_client issues, this might be due to incorrect service account credentials. Ensure the private key is pasted correctly. Since you cannot view the key after the first time, re-create the service account key, paste it into a text editor to verify there are no spaces or unexpected characters, and reconfigure the DataBee feed.

• If you are facing a 403 response code, this might be due to missing permissions. Ensure that the service account has the required Google Security Command Center roles and permissions as per the steps mentioned above.