Vendors Google Cloud Platform Security Command Center SCC Threat Detection Findings

SCC Threat Detection Findings

Active threats and malicious activity

Threat findings from Google Cloud Security Command Center Event Threat Detection, identifying active attacks, malware, brute force attempts, data exfiltration, and other malicious activities detected in GCP resources.

threat-detection malware attack security-incident gcp

JSON Format 8 Fields Medium Frequency Generator

Preview Sample View Schema

Overview

Threat findings identify potential active attacks or malicious activity detected by Google Cloud Security Command Center Event Threat Detection. These findings require immediate investigation as they indicate ongoing security incidents.

When Generated:

Malware or cryptomining activity detected on compute instances
Brute force authentication attempts (SSH, RDP)
Data exfiltration attempts via Cloud SQL or other services
Unauthorized access or account hijacking detected
Privilege escalation or IAM anomalous grants
Lateral movement or suspicious SSH activity
Command and control (C2) communications detected

Security Relevance:

Critical

Compliance:

NIST 800-53 (SI-4, AU-6) ISO 27001 (A.12.4.1) PCI-DSS (11.4) SOC 2 (CC7.2) CIS GCP Foundation 2.0

Frequency Notes:

Threat findings are generated in real-time when Event Threat Detection identifies malicious patterns. Frequency depends on actual threat activity in the environment. Most threats occur during business hours when systems are actively used, but some attacks (like cryptomining) run continuously.

Resources

Documentation

Event Threat Detection Overview official
Threat Findings Reference official
Remediating Threats official

Tools

Google Cloud Console - Security Command Center
Web interface for viewing and managing threat findings

Generation Configuration

Base Frequency: 20 events/hour

Time Patterns:

business_hours night_hours weekend

Business Hours Multiplier: 1.5x

Night Hours Multiplier: 1.2x

Weekend Multiplier: 0.8x

Field Definitions

Complete field reference for this event type with data types, descriptions, and example values.

Field Name	Type	Required	Format	Description	Example	Possible Values
name Source: Constructed from organization ID, source ID, and random GUID	String	Required	`organizations/{org_id}/sources/{source_id}/locations/global/findings/{finding_id}`	Full resource name of the finding in organizations scope	`organizations/123456789/sources/9732761411165682985/locations/global/findings/abc123...`	—
category	String	Required	—	Threat category classification	`Malware: Cryptomining Bad Domain`	`Malware: Cryptomining Bad Domain` — Cryptocurrency mining activity detected `Brute Force: SSH` — SSH brute force attack detected `Malware: Bad Domain` — Communication with known malicious domain `Credential Access: External Member Added To Privileged Group` — Unauthorized privilege escalation `Exfiltration: CloudSQL Data Exfiltration` — Suspicious data transfer from Cloud SQL `Initial Access: Account Disabled Hijacked` — Compromised account activity `Persistence: IAM Anomalous Grant` — Suspicious IAM permission changes `Lateral Movement: Compute Engine Anomalous SSH` — Unusual SSH access patterns
sourceProperties.detectionCategory.technique Source: random_choice of MITRE ATT&CK techniques	String	Required	—	MITRE ATT&CK technique identifier	`T1496`	`T1496` — Resource Hijacking `T1110` — Brute Force `T1071` — Application Layer Protocol `T1078` — Valid Accounts `T1567` — Exfiltration to Cloud Storage `T1098` — Account Manipulation `T1021` — Remote Services
sourceProperties.detectionCategory.indicator Source: random_choice of malicious domains, IPs, or patterns	String	Required	—	Threat indicator (domain, IP, or other identifier)	`xmr-pool.mining.com`	—
sourceProperties.evidence Source: Array of evidence objects with source logs, IPs, user agents	Array	Required	—	Evidence logs and artifacts supporting the threat detection	—	—
severity Source: random_weighted favoring HIGH (35%)	String	Required	—	Threat severity level	`HIGH`	`CRITICAL` — Critical threat requiring immediate response `HIGH` — High severity threat `MEDIUM` — Medium severity threat `LOW` — Low severity threat
findingClass Source: Static 'THREAT'	String	Required	—	Finding class identifier	`THREAT`	—
state Source: random_weighted favoring ACTIVE (90%)	String	Required	—	Current state of the threat finding	`ACTIVE`	`ACTIVE` — Threat is currently active `INACTIVE` — Threat has been resolved or is no longer active

Details

Fields

Medium

Frequency

Feedback

No ratings yet