Vendors Google Cloud Platform Security Command Center SCC Observation Findings

SCC Observation Findings

Security-relevant observations

Observation findings from Google Cloud Security Command Center, describing events, configuration details, or issues that may not be problems themselves but could be concerning if the environment were compromised.

observation monitoring behavioral-analysis security-awareness gcp

JSON Format 7 Fields Medium Frequency Generator

Preview Sample View Schema

Overview

Observation findings describe events, configuration details, or other issues in your environment that might not be problems in themselves, but could be concerning if your environment were to be compromised. These findings provide context for security monitoring.

When Generated:

Sensitive Data Protection detects sensitive data in resources
Sensitive Actions Service detects privileged operations
Unusual API call patterns are observed
Anomalous network traffic volume is detected
Unexpected authentication attempts from new locations
Configuration changes occur outside maintenance windows
Data access from unusual times or locations

Security Relevance:

Medium

Compliance:

NIST 800-53 (AU-2, AU-6) ISO 27001 (A.12.4.1) SOC 2 (CC7.2) CIS GCP Foundation 2.0

Frequency Notes:

Observation findings are generated continuously as Security Command Center monitors resource activity and configurations. Frequency is highest during business hours when user activity and resource changes are most common. These findings provide contextual information for security teams.

Resources

Documentation

Generation Configuration

Base Frequency: 15 events/hour

Time Patterns:

business_hours night_hours weekend

Business Hours Multiplier: 1.8x

Night Hours Multiplier: 0.8x

Weekend Multiplier: 0.5x

Field Definitions

Complete field reference for this event type with data types, descriptions, and example values.

Field Name	Type	Required	Format	Description	Example	Possible Values
name Source: Constructed with 'obs-' prefix	String	Required	`organizations/{org_id}/sources/{source_id}/locations/global/findings/obs-{finding_id}`	Full resource name of the observation finding	`organizations/123456789/sources/9732761411165682985/locations/global/findings/obs-abc123...`	—
category	String	Required	—	Observation category	`RESOURCE_ACCESS_PATTERN`	`RESOURCE_ACCESS_PATTERN` — Unusual resource access pattern observed `API_ACTIVITY` — Notable API activity observed `NETWORK_TRAFFIC` — Anomalous network traffic observed `AUTHENTICATION_EVENT` — Unusual authentication event observed `CONFIGURATION_CHANGE` — Configuration change observed `DATA_ACCESS` — Data access pattern observed
sourceProperties.observation Source: Object with description, observedAt, observedBy, observationType, and resourceContext	Object	Required	—	Observation details	—	—
sourceProperties.properties.occurrenceCount Source: random_int(1, 100)	Integer	Optional	—	Number of times this observation has occurred	`15`	—
sourceProperties.properties.observationFrequency	String	Optional	—	Frequency classification of the observation	`OCCASIONAL`	`ONCE` — Observed once `OCCASIONAL` — Observed occasionally `FREQUENT` — Observed frequently `CONTINUOUS` — Observed continuously
severity Source: random_weighted favoring MEDIUM (50%)	String	Required	—	Observation severity level	`MEDIUM`	`CRITICAL` — Critical observation requiring attention `HIGH` — High severity observation `MEDIUM` — Medium severity observation `LOW` — Low severity observation
findingClass Source: Static 'OBSERVATION'	String	Required	—	Finding class identifier	`OBSERVATION`	—

Details

Fields

Medium

Frequency

Feedback

No ratings yet