> For the complete documentation index, see [llms.txt](https://surecloud.gitbook.io/surecloud-docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/google-cloud/security-command-center.md).
# security command center
SureCloud connects to Google Security Command Center to collect active security findings across your GCP organisation. SureCloud ingests findings from all SCC sources — including Security Health Analytics, Web Security Scanner, and any third-party sources you have enabled — and uses this data to surface misconfigurations, unresolved vulnerabilities, and threat detections in a single continuous posture feed. SureCloud tracks finding state over time so that resolved and muted findings are reflected accurately.
## Endpoints
| API Call | Use Case |
| --------------------------------------------- | ---------------------------------------------------------------------------------- |
| `securitycenter.organizations.findings.list` | Enumerate all active security findings across the organisation |
| `securitycenter.organizations.sources.list` | List all finding sources (Security Health Analytics, Event Threat Detection, etc.) |
| `securitycenter.organizations.assets.list` | Retrieve the GCP asset inventory tracked by SCC |
| `securitycenter.organizations.findings.group` | Aggregate finding counts by category and severity for posture summaries |
## Pagination
Security Command Center API responses use `nextPageToken` continuation. SureCloud passes the token as the `pageToken` parameter in successive requests until no token is returned.
```json
{
"findings": [
{
"name": "organizations/123/sources/456/findings/789",
"category": "PUBLIC_BUCKET_ACL",
"severity": "HIGH",
"state": "ACTIVE"
}
],
"nextPageToken": "CiAKGjBpNDU2..."
}
```
{% hint style="info" %}
Security Command Center must be **activated** at the organisation level before SureCloud can collect findings. Navigate to **Security Command Center → Overview** in the Google Cloud Console and complete activation. Standard tier is sufficient for Security Health Analytics findings; Premium tier enables Event Threat Detection and Container Threat Detection.
{% endhint %}
## Required permissions
| Role | Grants |
| ------------------------------------- | ------------------------------------------------------ |
| `roles/securitycenter.findingsViewer` | Read findings and sources from Security Command Center |
| `roles/securitycenter.assetsViewer` | Read the SCC asset inventory |
Both roles must be granted at the **organisation** scope.
## Troubleshooting
No findings are appearing despite Security Command Center being activated
If SCC was recently activated, the initial scan may take up to 24 hours to complete before findings are available. SureCloud will collect findings on the next polling cycle after the scan completes.
Confirm findings are visible in **Security Command Center → Findings** in the Google Cloud Console. If findings are present in the console but missing in SureCloud, verify the `securitycenter.findingsViewer` role is assigned at the organisation scope.
Only Security Health Analytics findings are showing — Event Threat Detection is missing
Event Threat Detection requires the **Premium tier** of Security Command Center. If your organisation is on the Standard tier, only Security Health Analytics findings will be available.
In **Security Command Center → Settings → Service availability**, confirm which tier is active and which detectors are enabled.
Muted findings are appearing as active in SureCloud
Muted findings have a `muteState` of `MUTED` in the SCC API. SureCloud filters muted findings from the active findings view by default. If muted findings appear as active, verify the `state` and `muteState` fields on those findings directly in **Security Command Center → Findings → Muted findings** to confirm the mute was applied correctly on the SCC side.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/google-cloud/security-command-center.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.