Guide · Detection engineering

GCP Security Command Centre findings and ATT&CK mapping

Last reviewed:

How to turn Security Command Centre findings into useful ATT&CK coverage input without treating a managed finding as the whole detection story.

Why Security Command Centre findings need mapping discipline

Security Command Centre gives GCP teams a rich findings inventory, but the inventory is not the same thing as detection engineering. A finding can describe a threat signal, a misconfiguration, a vulnerability, a posture violation, an exposure path or a product error. Those classes matter when a SOC maps the finding to ATT&CK.

A threat finding from Event Threat Detection or Container Threat Detection can support an alert workflow when the evidence is present and reviewable. A vulnerability or misconfiguration finding usually belongs in exposure management first. It can shape a detection backlog, but it does not prove attacker behaviour by itself.

Treat each finding as coverage input. Record the finding class, category, source, affected resource, severity, state and investigation fields before assigning a technique. If the mapped technique needs Cloud Audit Logs, asset sensitivity or identity context to prove behaviour, write that dependency down beside the mapping rather than hiding it in analyst notes.

This distinction is useful during reporting. A coverage review can say that Security Command Centre already exposes a risky path, while the detection backlog still needs audit-log collection, parser work or a rule in Google SecOps before the SOC can alert on the behaviour. That is a stronger answer than marking the technique green because a managed service raised something nearby.

Separate threat, posture and exposure findings

Start with finding class. Security Command Centre uses classes such as THREAT, VULNERABILITY, MISCONFIGURATION, OBSERVATION, POSTURE_VIOLATION, TOXIC_COMBINATION and CHOKEPOINT. These labels stop the team from treating a risky configuration and an observed attack signal as equal evidence.

Map THREAT findings to ATT&CK only when the finding category, source and affected resource give enough detail to explain the behaviour. A suspicious login or malware-related finding can point towards a technique, but the case still needs the resource, principal and time window that an analyst can review.

Map VULNERABILITY, MISCONFIGURATION and POSTURE_VIOLATION findings as exposure or backlog evidence. They answer a different question: could this GCP asset help an attacker if another control fails? That is useful for prioritising coverage work, but it should not inflate the live detection score.

OBSERVATION findings need the same care. Some are useful investigation hints, some are asset or workload signals, and some are better kept as triage context. The mapping owner should decide whether the finding proves a behaviour, changes the priority of another behaviour or belongs only in asset-hardening work.

  • Direct detection evidence: a THREAT finding with reviewable principal, resource and event context.
  • Exposure evidence: vulnerability, misconfiguration, toxic-combination or chokepoint findings that show a path or weakness but not live attacker action.
  • Posture evidence: policy and control-state findings that explain readiness, drift or missing guardrails.
  • Correlation context: findings that become useful only when joined with Cloud Audit Logs, identity telemetry or sensitive-asset labels.

Map findings to ATT&CK with evidence labels

A good mapping says both the technique and the evidence strength. A compromised cloud account finding can support T1078.004 Valid Accounts: Cloud Accounts when the finding shows account abuse and the reviewer can tie it to a principal. A broad IAM policy change still needs Cloud Audit Logs before it supports T1098 Account Manipulation. A logging sink or exclusion risk can point towards T1685.002 Disable or Modify Cloud Log, but only the change event proves the action.

Do not map every Security Command Centre category to ATT&CK because the words sound adjacent. Categories are product labels. ATT&CK techniques describe adversary behaviour. The mapping should survive a reviewer asking, 'what did the attacker do, and which field proves it?' If the answer is only 'SCC said high severity', the mapping is exposure context, not detection coverage.

Severity is useful for queue order, but Google describes it as a general indicator for a finding category. It is not a technique confidence score. Attack exposure scores are also not attack evidence; Google states that attack paths represent possible routes if an attacker gains access. Keep those scores in the priority column, not the proof column.

Pseudocode: classify SCC finding evidence python
def scc_finding_evidence_kind(finding):
    if finding.finding_class == 'THREAT' and finding.has_reviewable_event_context:
        return 'direct-detection'
    if finding.finding_class in {'VULNERABILITY', 'MISCONFIGURATION'}:
        return 'exposure-evidence'
    if finding.finding_class in {'TOXIC_COMBINATION', 'CHOKEPOINT'}:
        return 'attack-path-context'
    if finding.needs_audit_log_or_identity_join:
        return 'correlation-context'
    return 'posture-evidence'

Keep the finding reviewable in the SIEM

If Security Command Centre findings land in a SIEM, keep the fields that let an analyst challenge the mapping. The Findings API includes values such as name, parent, resourceName, category, state, severity, eventTime, createTime, sourceProperties, findingClass, mute state and security marks. The exact export shape depends on the route, but the case view should not reduce the finding to a title and severity.

The reviewer needs the source name and category to understand which detection service produced the signal. They also need the resource hierarchy and affected asset so the same category can be treated differently for a sandbox project, a production project or a high-value data service.

Add a notes field to the coverage record for the missing join. Common examples are 'requires Cloud Audit Logs for SetIamPolicy', 'requires identity risk signal', 'requires asset sensitivity' and 'requires workload owner approval'. That small piece of humility prevents an SCC-backed ATT&CK map from pretending it has more proof than the data gives it.

The same rule applies when findings are exported into a ticketing queue. If the ticket only carries the finding category and severity, the analyst will have to reopen Security Command Centre or Logs Explorer before they can judge the mapping. Put the review fields in the ticket or case record while the context is still attached.

  • Preserve finding class, category, source and resource name.
  • Preserve state, mute status, severity, event time and create time.
  • Preserve source properties that explain the service-specific finding details.
  • Record the missing evidence join before counting the mapping as live coverage.

Turn SCC output into a coverage backlog

A useful SCC coverage review ends with decisions, not a prettier spreadsheet. For each high-priority finding family, decide whether the team already has direct detection evidence, needs correlation work, needs logging scope fixed or should leave the item in posture management. This keeps the backlog close to the signals the SOC can actually operate.

Review the map after new Security Command Centre sources are enabled, after GCP projects or folders move into scope, after a SIEM parser changes and after an incident shows that a finding was visible but unmapped. Finding availability and query filters are part of the operating model, not admin trivia.

DCV can record Security Command Centre as managed-finding evidence while keeping the ATT&CK technique, evidence class and missing joins visible. CloudSigma is separate: it belongs to CVE and advisory-to-Sigma work, not to SCC finding mapping. For this guide, the outcome is a cleaner coverage view and a backlog that names which GCP data sources still need work.

Keep one owner for each backlog item. A platform team might own Security Command Centre service activation, a data team might own sensitive-resource labels, and the detection team might own the SIEM rule or parser. If nobody owns the missing join, the next review will rediscover the same gap with a new spreadsheet and a worse mood.

Write the owner, evidence gap and next test beside the technique. That turns the SCC review into clear, owned engineering work the team can finish properly, not another posture report that ages badly in a folder.

Sources
  • Google Cloud documentation, Detection services, https://cloud.google.com/security-command-center/docs/concepts-security-sources
  • Google Cloud documentation, Review and manage findings, https://cloud.google.com/security-command-center/docs/review-manage-findings
  • Google Cloud documentation, Finding classes, https://cloud.google.com/security-command-center/docs/finding-classes
  • Google Cloud documentation, Finding severities, https://cloud.google.com/security-command-center/docs/finding-severity-classifications
  • Google Cloud documentation, Attack exposure scores and attack paths, https://cloud.google.com/security-command-center/docs/attack-exposure-learn
  • Google Cloud documentation, Security Command Center Findings API, https://cloud.google.com/security-command-center/docs/reference/rest/v1/organizations.sources.findings
  • MITRE ATT&CK T1078.004 Valid Accounts: Cloud Accounts, https://attack.mitre.org/techniques/T1078/004/
  • MITRE ATT&CK T1098 Account Manipulation, https://attack.mitre.org/techniques/T1098/
  • MITRE ATT&CK T1685.002 Disable or Modify Cloud Log, https://attack.mitre.org/techniques/T1685/002/
Last verified: 2026-07-10