Setting up Security Command Center tools

Stay organized with collections Save and categorize content based on your preferences.

This page provides information about how to prepare your Google Cloud project to install the Security Command Center tools app package. These apps add new functionality that show how you can use Security Command Center in your organization.

These apps demonstrate how to develop integrations or add-ons to the Security Command Center platform. If you're a third-party security solution developer, or if you need something more specific for your organization, you might find these example apps particularly useful.


The Security Command Center tools package includes the following components:

Hello World

Hello World is a small example app that calls the Security Command Center API to get an organization's assets or security provider findings. This app uses Cloud Functions to integrate with Security Command Center APIs and trigger security workflows based on Security Command Center queries:

  • Log query parameters and results.
  • Disable firewall rules that allow SSH connections to an instance.
  • Remove access to a Cloud Storage bucket.
  • Create a snapshot for each disk that belongs to an instance.

Hello World also includes a small library of example Cloud Functions that enable you to programmatically trigger the following actions with Pub/Sub messages:

  • Repair firewall
  • Snapshot VM
  • Change bucket ACL

You can use the Hello World app code as a starting point for other behaviors like:

  • Use Cloud Scheduler to periodically call a Pub/Sub topic and trigger a security workflow.
  • Store query results in a database or send it to another system as a notification.
  • Add a new Cloud Functions function to call another Google API.

If you want to receive proactive alerts, Security Command Center includes a generally available Notifications feature that you can use instead of the Creator and Notifier examples on this page.


The Alerts example app provides a code example of how to connect to a Security Command Center API Notifications Pub/Sub topic. This example app also includes how you can connect, receive notifications, and then forward the notifications as alerts to several external systems.

External systems examples include:

  • SendGrid: for email messages
  • Twilio: for SMS messages
  • Jira: for issues creation
  • Slack: for instant messaging
  • Hangouts Chat: for instant messaging


The Creator example app queries Security Command Center data at regular intervals and sends the results to a Notifications Pub/Sub topic. The Creator app provides examples of how to use the filter, readTime, and compareDuration parameters of the Security Command Center API.


The Security Command Center tools package includes a Notifier example app that offers similar functionality, separate from the Security Command Center API. The Notifier app subscribes to a notifications Pub/Sub topic and sends notifications to a configured channel, like email or SMS. The Notifier app refers to Security Command Center query results from other apps, like the Creator and Query Builder apps.

You can develop your own application to subscribe to the same Notifications Pub/Sub topic, and customize how you handle the messages you get. For example, you could process the results and send them to one of your organization's internal systems, or store the results for further analysis in a database that you specify.

Query Builder

The Query Builder app enables you to create and schedule advanced, multi-step queries on Security Command Center data using a web application interface. Query results can be sent to a Notifications Pub/Sub topic where other apps can consume them. You can also configure Query Builder to add Security Command Center security marks to query results.

For example, you could schedule a query to periodically look for network firewalls with port 22 allowed. You could then use Query Builder to mark the results in Security Command Center and notify your security team so they can take appropriate action.

Audit Logs

The Audit Logs app can ingest Cloud Audit Logs logs through export sinks and create Security Command Center security findings. This app includes integration of Access Transparency alerts and Binary Authorization alerts for Blocked Deployments and Break Glass scenarios. The Audit Logs app is a streaming Dataflow job. Using the Audit Logs app incurs charges per Dataflow pricing.

This app creates single and aggregated log types:

  • Single log types create a Security Command Center finding for each occurrence found:
    • Google Kubernetes Engine Binary Authorization
    • Access Transparency
    • Compute Engine
    • Cloud Storage
    • Service Networking
  • Aggregated log types group findings within a Dataflow period and then creates a Security Command Center finding:
    • Identity and Access Management (IAM)

Splunk Connector

The Splunk Connector app uses the Security Command Center API to export an organization's assets and findings. You can configure the app to filter Security Command Center data to limit the data that's exported. For example, you could search for only findings of a specific type. The app runs on a schedule and delivers results to a Pub/Sub topic that's connected to a Splunk Server Addon.

Setup scripts

The Security Command Center tools package includes a set of companion scripts and utilities. The scripts and utilities are used during installation to create the necessary Google Cloud infrastructure for each app and help deploy the apps.

These scripts do things like:

  • Create projects
  • Create service accounts
  • Generate SSL certificates
  • Deploy apps

This guide includes detailed instructions about how to execute the commands to install the Security Command Center tools using the setup scripts.

Figure 1 provides a high-level overview of the Security Command Center tools, not including the setup scripts:

Security Command Center Tools overview diagram.
Figure 1. Diagram of the Security Command Center tools with a description of how each tool interacts with Security Command Center.

Before you begin

To complete this guide, you need the following:

  • An active Google Cloud Organization with Security Command Center enabled.
  • An active Cloud Billing account.
  • The project ID that you want to use to access the Security Command Center API. This project must have the API enabled.
  • The following Identity and Access Management roles at the organization level:
    • Billing Account User - roles/billing.user
    • DNS Administrator - roles/dns.admin
    • Organization Administrator - roles/resourcemanager.organizationAdmin
    • Organization Role Administrator - roles/iam.organizationRoleAdmin
    • Organization Role Viewer - roles/iam.organizationRoleViewer
    • Project Creator - roles/resourcemanager.projectCreator
    • Pub/Sub Publisher - roles/pubsub.publisher
    • Security Center Admin - roles/securitycenter.admin
    • Service Account Admin - roles/iam.serviceAccountAdmin
    • Service Account Key Admin - roles/iam.serviceAccountKeyAdmin
    • Service Management Administrator - roles/servicemanagement.admin

Installing Security Command Center tools

To install the Security Command Center tools, complete the steps below to prepare your environment. After you complete this guide, you can install each tool independently by following the README that's included with the tool.

You must use Cloud Shell to install the tools. Cloud Shell provides command-line access to your Google Cloud resources directly from your browser.

Get the tools package

Run the following commands to download the tools package and set up a working directory:

  1. Go to the Google Cloud console.
    Go to the Google Cloud console page
  2. Click Activate Cloud Shell.
  3. Get the name of the tools version you want to use. These are stored with a timestamp, so you need to display the Cloud Storage bucket contents.

       # list available versions
       gsutil ls gs://cloud-scc-beta-example-apps-download/
  4. Set environment variables for your working directory and the tools version you want to download.

    1. The Security Command Center tools release version:

        # the Cloud SCC tools release version you want to download, for example 3.4.0
        export VERSION=release-version
    2. The filename for the tools version:

        # the filename for the tools version you want to download,
        # for example
        export FILENAME=filename
    3. The path for your working directory:

        # directory to unzip the installation zip files
        export WORKING_DIR=${HOME}/scc-tools-install
  5. Create your working directory:

       # create the working directory
       mkdir $WORKING_DIR
  6. Go to the working directory:

       # go to the working directory
       cd $WORKING_DIR
  7. Download the Security Command Center tools files by running:

       gsutil cp gs://cloud-scc-beta-example-apps-download/${FILENAME} .
  8. Unzip the Security Command Center tools files:

       unzip -qo ${FILENAME} -d .
  9. Download the README file that is included in the tools files you unzipped:

       cloudshell download ${VERSION}/README-${VERSION}.pdf
  10. Complete setup by following the steps in the README-version.pdf that you downloaded.

After you complete the README, you are ready to install any of the Security Command Center tools using the tool installation guides.

Installation guides

The tools package that you downloaded contains a README that includes installation instructions for each app. To get a README, go to the tools file directory that contains the README you want to use. Then, run cloudshell download readme from the directory, where readme is the name of the tools README that you want to download:

  • Hello World: scc-hello-world-README-${VERSION}.pdf
  • Creator: scc-creator-README-${VERSION}.pdf
  • Query Builder: scc-query-builder-README-${VERSION}.pdf
  • Notifier: scc-notifier-README-${VERSION}.pdf
  • Audit Logs: scc-audit-logs-README-${VERSION}.pdf
  • Splunk Connector: scc-splunk-connector-README-${VERSION}.pdf
  • Alerts: scc-alerts-app-README-${VERSION}.pdf

After you install an app, you can find more information about the app in its user guide. To get a user guide, run cloudshell download user-guide from the tools file directory, where user-guide is the name of the tools user guide that you want to download:

  • Hello World: scc-hello-world-USER_GUIDE-${VERSION}.pdf
  • Creator: scc-creator-USER_GUIDE-${VERSION}.pdf
  • Query Builder: scc-query-builder-USER_GUIDE-${VERSION}.pdf
  • Notifier: scc-notifier-USER_GUIDE-${VERSION}.pdf
  • Audit Logs: scc-audit-logs-USER_GUIDE-${VERSION}.pdf
  • Splunk Connector: scc-splunk-connector-USER_GUIDE-${VERSION}.pdf
  • Alerts: scc-alerts-app-USER_GUIDE-${VERSION}.pdf