
Google Security Command Center
Google Cloud- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
The Google Security Center connector integrates with Google Cloud Security Command Center (SCC), Cloud Asset Inventory, and the in-cluster Kubernetes API to give Brinqa a unified view of GCP exposure. It pulls SCC findings (vulnerabilities, misconfiguration violations, threat alerts) and the cloud assets they target — compute instances, networks, firewalls, GKE clusters, Cloud SQL, Cloud Run / Cloud Functions / App Engine, load balancers, IAM bindings, and project-level metadata — then dives into each GKE cluster's API server to enumerate namespaces, pods, service accounts (Workload Identity), services, ingresses, deployments, daemonsets, and RBAC roles. The result is one connected graph spanning GCP control-plane state and in-cluster posture, suitable for blast-radius analysis.
Data retrieved from Google Security Command Center
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Vulnerability | Yes | Vulnerability |
| Vulnerability Definition | Yes | Vulnerability Definition |
| Violation | Yes | Violation |
| Violation Definition | Yes | Violation Definition |
| Alert | Yes | Alert |
| Alert Definition | Yes | Alert Definition |
| Project | Yes | Cloud Resource |
| Bucket | Yes | Cloud Resource |
| Repository | Yes | Cloud Resource |
| ServiceAccount | Yes | Cloud Resource |
| Compute Instance | Yes | Host |
| Firewall | Yes | Cloud Resource |
| Disk | Yes | Cloud Resource |
| Address | Yes | Cloud Resource |
| Network | Yes | Cloud Resource |
| Node Pool | Yes | Cloud Resource |
| Compute Project | Yes | Cloud Resource |
| GKECluster | Yes | Cloud Resource |
| K8s Namespace | Yes | Cloud Resource |
| K8s Pod | Yes | Cloud Resource |
| K8s ServiceAccount | Yes | Cloud Resource |
| K8s Service | Yes | Cloud Resource |
| K8s Ingress | Yes | Cloud Resource |
| K8s Deployment | Yes | Cloud Resource |
| K8s DaemonSet | Yes | Cloud Resource |
| K8s Role | Yes | Cloud Resource |
| K8s RoleBinding | Yes | Cloud Resource |
| Cloud Run Service | Yes | Cloud Resource |
| Cloud Function | Yes | Cloud Resource |
| App Engine Application | Yes | Cloud Resource |
| SQL Instance | Yes | Host |
| Forwarding Rule | Yes | Cloud Resource |
| Backend Service | Yes | Cloud Resource |
| Target Pool | Yes | Cloud Resource |
| Instance Group | Yes | Cloud Resource |
| IAM Binding | Yes | Cloud Resource |
Model relationships
For detailed steps on how to view the data retrieved from Google Security Command Center in the Brinqa Platform, see How to view your data.
Connection settings
When setting up a data integration, select Google Security Command Center from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| Scope | Yes | — | The relative name of the root asset. It can only be an organization number (such as "organizations/123").< br><br>\ |
| Credentials | Yes | — | This is the full content of the JSON file that contains your service account key |
| Page size | No | pageSize config | Maximum number of records to get per API request |
| Excluded project IDs | No | — | Comma-separated GCP project IDs to exclude (e.g. 12345, projects/67890), applies to all syncs |
| Excluded folder IDs | No | — | Comma-separated GCP folder IDs to exclude (e.g. 67890, folders/111222), all projects under an excluded folder are also excluded |
Authentication
The connector authenticates with Google Cloud APIs using a service account JSON key (Application Default Credentials shape). The connector loads the key from the credentials configuration property and uses it to mint OAuth 2.0 access tokens for every Google API call (cloudasset.googleapis.com, securitycenter.googleapis.com, container.googleapis.com, etc.). The same service account is also used to obtain GKE bearer tokens via gcloud container clusters get-credentials style auth flows for in-cluster Kubernetes calls.
Required Elements
| Element | Description |
|---|---|
| Method | OAuth 2.0 with service account JSON key |
| Scope | Comma-separated GCP scope list (organizations/{org}, folders/{folderId}, or projects/{projectId}) |
| Credentials | Full JSON contents of a GCP service account key with the IAM roles listed under Required Permissions |
| Token endpoint | https://oauth2.googleapis.com/token (handled by the Google Auth library) |
Usage
The credentials and scope are read once per sync. The Google client libraries handle token refresh automatically; the connector itself never sees the bearer token. For Kubernetes API calls, the same service account is exchanged for an in-cluster bearer token via the container.clusters.getCredential flow, then attached to each kubectl-equivalent request.
Sync Behavior
The connector uses incremental (delta) syncs where the source API supports it, and full syncs elsewhere:
- Incremental — Security Command Center findings (and the definitions derived from them) are filtered by
event_time >= since, and Cloud Asset Inventory assets are filtered byupdateTime >= since, so only records changed since the previous run are retrieved. - Full snapshot — In-cluster Kubernetes models (namespaces, pods, service accounts, services, ingresses, deployments, daemonsets, and RBAC roles/bindings) are fully enumerated every sync; the
sincevalue is not applied. IAM policy bindings are likewise re-snapshotted each sync because Cloud Asset Inventory'sIAM_POLICYcontent type does not support an incremental filter.
When no since value is supplied, all models perform a full sync.
How to obtain Google Security Command Center credentials
Enable the Cloud Asset API
The Google Security Command Center connector requires that you enable the Cloud Asset API on the specified scope.
Create a custom role for Brinqa
Google Cloud uses service accounts to authenticate and authorize API calls, but you can only create service accounts within a project. For the Google Security Command Center connector to collect assets from multiple projects, you must grant the service account organization level permissions through a custom Identity and Access Management (IAM) role.
To create a custom role with organization level permissions, follow these steps:
-
Log in to the Google Cloud Console.
-
Select the organization where you want the connector to collect assets.
-
In the Navigation menu, select IAM & Admin > Roles.
-
Click Create Role.
-
Enter a name and description for your role.
-
Click Add Permissions and add the following read-only permissions required by the connector:
-
cloudasset.viewer -
securitycenter.findingsViewer
-
-
Click Create.
Create a service account and grant organization level permissions
Since the service account must have organization level permissions for the Google Security Command Center connector to collect assets from all the projects within the organization, Brinqa recommends that you create a service account specifically for the connector.
To create a service account and grant the appropriate permissions, follow these steps:
-
Log in to the Google Cloud Console.
-
Select the project where you want to create the service account.
-
In the Navigation menu, select IAM & Admin > Service Accounts.
-
Click Create Service Account.
-
Enter a name and description for the service account.
-
Skip the optional steps and click Done.
-
View the service account details and save the email address for later use.
-
Select the organization where you have created the custom role.
-
In the Navigation menu, select IAM & Admin.
-
Click Grant Access.
-
Click New principals and paste in the email taken from the service account details page.
-
Click Select a role and select the custom role created previously.

-
Click Save.
Obtain your service account key
If you have completed the previous steps successfully, your service account should have the minimum permissions that the Google Security Command Center connector needs to collect assets from all the projects within your organization.
To obtain the service account key, follow these steps:
-
Log in to the Google Cloud Console.
-
Select your project where the service account resides.
-
In the Navigation menu, select IAM & Admin > Service Accounts.
-
Select the service account and click the Keys tab.
-
Click Add Key > Create new key.
-
Keep JSON as key type and click Create.
The generated private key file is saved to your computer automatically.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
Vulnerability
| Source Field Name | SDM Attribute |
|---|---|
| derived from STATUS | STATUS_CATEGORY |
Finding.createTime | SOURCE_CREATED_DATE |
Finding.eventTime | EVENT_TIME |
Finding.kubernetes.objects[].name | KUBERNETES_OBJECTS |
Finding.name | UID |
Finding.name | NAME |
Finding.resourceName | AFFECTED_ASSET |
Finding.state | STATUS |
Finding.state | SOURCE_STATUS |
| resolved asset id | TARGETS |
sourceProperties.ActivationTrigger | ACTIVATION_TRIGGER |
sourceProperties.ProjectId | PROJECTS |
sourceProperties.ResourcePath | PATH |
sync timestamp (Instant.now()) | LAST_CAPTURED |
Vulnerability.cve.id or securityBulletin.bulletinId | TYPE |
Vulnerability.offendingPackage + Vulnerability.fixedPackage | RESULTS |
Vulnerability Definition
| Source Field Name | SDM Attribute |
|---|---|
Cve.cvssv3.attackComplexityValue | CVSS_V3_AV |
Cve.cvssv3.baseScore | CVSS_V3_BASE_SCORE |
Cve.cvssv3.confidentialityImpactValue | CVSS_V3_CI |
Cve.cvssv3.integrityImpactValue | CVSS_V3_II |
Cve.id | CVE_IDS |
Cve.id | CVE_RECORDS |
Cve.references[].uri | REFERENCES |
Cve.upstreamFixAvailable | FIXABLE |
derived | SEVERITY_SCORE |
Finding.category | CATEGORIES |
Finding.findingClass.name() | FINDING_CLASS |
Finding.severity | SOURCE_SEVERITY |
normalized Finding.severity | SEVERITY |
regex on Finding.description (Update Instructions:) or Finding.nextSteps | RECOMMENDATION |
| same as UID | NAME |
sourceProperties.description or Finding.description | DESCRIPTION |
sync timestamp (Instant.now()) | LAST_CAPTURED |
Vulnerability.cve.id or securityBulletin.bulletinId | UID |
Violation
| Source Field Name | SDM Attribute |
|---|---|
Finding.category | TYPE |
Finding.createTime | SOURCE_CREATED_DATE |
Finding.eventTime | EVENT_TIME |
Finding.kubernetes.objects[].name | KUBERNETES_OBJECTS |
Finding.name | UID |
Finding.name | NAME |
Finding.resourceName | AFFECTED_ASSET |
Finding.state | STATUS / SOURCE_STATUS / STATUS_CATEGORY |
| resolved asset id | TARGETS |
sourceProperties.ActivationTrigger | ACTIVATION_TRIGGER |
sourceProperties.ProjectId | PROJECTS |
sourceProperties.Recommendation or Finding.nextSteps | RECOMMENDATION |
sourceProperties.ResourcePath | PATH |
sync timestamp (Instant.now()) | LAST_CAPTURED |
Violation Definition
| Source Field Name | SDM Attribute |
|---|---|
derived from BaseFinding.FINDINGS_DEFS or category id | NAME |
Finding.category | UID |
Finding.findingClass.name() | FINDING_CLASS |
Finding.severity | SEVERITY / SEVERITY_SCORE / SOURCE_SEVERITY |
sourceProperties.ExceptionInstructions | EXCEPTION_INSTRUCTIONS |
sourceProperties.Explanation or Finding.description | DESCRIPTION |
sourceProperties.ScannerName | SCANNER_NAME |
sync timestamp (Instant.now()) | LAST_CAPTURED |
Alert
| Source Field Name | SDM Attribute |
|---|---|
Finding.category | TYPE |
Finding.createTime | SOURCE_CREATED_DATE |
Finding.eventTime | EVENT_TIME |
Finding.kubernetes.objects[].name | KUBERNETES_OBJECTS |
Finding.name | UID / NAME |
Finding.resourceName | AFFECTED_ASSET |
Finding.state | STATUS / SOURCE_STATUS / STATUS_CATEGORY |
| resolved asset id | TARGETS |
sourceProperties.* | PROJECTS / ACTIVATION_TRIGGER / PATH |
sync timestamp (Instant.now()) | LAST_CAPTURED |
Alert Definition
| Source Field Name | SDM Attribute |
|---|---|
derived from BaseFinding.FINDINGS_DEFS or category id | NAME |
Finding.category | UID |
Finding.findingClass.name() | FINDING_CLASS |
Finding.severity | SEVERITY / SEVERITY_SCORE / SOURCE_SEVERITY |
sourceProperties.ExceptionInstructions | EXCEPTION_INSTRUCTIONS |
sourceProperties.Explanation or Finding.description | DESCRIPTION |
sourceProperties.Recommendation or Finding.nextSteps | RECOMMENDATION |
sourceProperties.ScannerName | SCANNER_NAME |
sync timestamp (Instant.now()) | LAST_CAPTURED |
Project
| Source Field Name | SDM Attribute |
|---|---|
Asset.ancestors[] | ANCESTORS |
Asset.id (project number) | UID |
Asset.resource.version | CURRENT_VERSION |
Asset.updateTime | SOURCE_LAST_MODIFIED |
| assetType + ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
createTime | FIRST_SEEN |
labels (key:value) | TAGS |
last segment of Asset.name | NAME |
last segment of Asset.name | SOURCE_NAME |
lifecycleState | STATUS |
name | PROJECT_NAME |
parent.id | PARENT_ID |
parent.type | PARENT_TYPE |
projectId | PROJECT_ID |
selfLink | URL |
sync timestamp (Instant.now()) | LAST_CAPTURED |
Bucket
| Source Field Name | SDM Attribute |
|---|---|
Asset.ancestors[] | ANCESTORS |
Asset.id (bucket name) | UID |
Asset.resource.version | CURRENT_VERSION |
Asset.updateTime | SOURCE_LAST_MODIFIED |
billing.requesterPays | BILLING |
combination of website.mainPageSuffix, cors, metageneration | NAME |
derived from lifecycle.rule[0].condition.isLive | STATUS |
encryption.defaultKmsKeyName | ENCRYPTION |
etag | ETAG |
etag:<value> + labels (k:v) | TAGS |
flattened acl[] | ACL |
flattened defaultObjectAcl[] (kind/entity/role/email/domain) | DEFAULT_OBJECT_ACL |
iamConfiguration.publicAccessPrevention | PUBLIC_ACCESS_PREVENTION |
iamConfiguration.uniformBucketLevelAccess | UNIFORM_BUCKET_LEVEL_ACCESS |
kind | KIND |
| kind + assetType + ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
labels (raw) | LABELS |
last segment of Asset.name | SOURCE_NAME |
location | LOCATION |
locationType | LOCATION_TYPE |
logging.logBucket | LOGGING |
owner.entity | OWNER |
retentionPolicy.retentionPeriod + isLocked | RETENTION_POLICY |
selfLink | URL |
storageClass | STORAGE_CLASS |
sync timestamp (Instant.now()) | LAST_CAPTURED |
timeCreated | FIRST_SEEN |
website.mainPageSuffix | WEBSITE |
Repository
| Source Field Name | SDM Attribute |
|---|---|
Asset.ancestors[] | ANCESTORS |
Asset.id or Asset.name | UID |
Asset.resource.version | CURRENT_VERSION |
Asset.updateTime | SOURCE_LAST_MODIFIED |
createTime | FIRST_SEEN |
description | DESCRIPTION |
format | FORMAT |
| kind + assetType + ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
labels (k:v) | TAGS |
last segment of Asset.name | NAME / SOURCE_NAME |
mode | MODE |
selfLink | URL |
sync timestamp (Instant.now()) | LAST_CAPTURED |
ServiceAccount
| Source Field Name | SDM Attribute |
|---|---|
Asset.ancestors[] | ANCESTORS |
Asset.id or Asset.name | UID |
Asset.resource.version | CURRENT_VERSION |
Asset.updateTime | SOURCE_LAST_MODIFIED |
| assetType + ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
description | DESCRIPTION |
disabled | DISABLED |
displayName | DISPLAY_NAME |
email | |
etag | TAGS |
etag | ETAG |
last segment of Asset.name | NAME / SOURCE_NAME |
oauth2ClientId | CLIENT_ID |
projectId | PROJECT_ID |
selfLink | URL |
sync timestamp (Instant.now()) | LAST_CAPTURED |
uniqueId | UNIQUE_ID |
Compute Instance
| Source Field Name | SDM Attribute |
|---|---|
Asset.ancestors[] | ANCESTORS |
Asset.id or Asset.name | UID |
Asset.resource.version | CURRENT_VERSION |
Asset.updateTime | SOURCE_LAST_MODIFIED |
| assetType + kind + Host + Virtual Machine | CATEGORIES |
canIpForward | CAN_IP_FORWARD |
confidentialInstanceConfig.enableConfidentialCompute | CONFIDENTIAL_INSTANCE_CONFIG |
cpuPlatform | CPU_PLATFORM |
creationTimestamp | FIRST_SEEN |
deletionProtection | DELETE_PROTECTION |
description | DESCRIPTION |
displayDevice.enableDisplay | ENABLE_DISPLAY |
fingerprint | FINGERPRINT |
flattened disks[] (type/boot/diskSizeGb/interface/mode) | DISKS |
id | INSTANCE_ID |
last segment of Asset.name | NAME / SOURCE_NAME |
| last segment of machineType | MACHINE_TYPE |
last segment of networkInterfaces[0].network | NETWORK |
last segment of networkInterfaces[0].subnetwork | SUBNET |
| last segment of zone | ZONE |
lastStartTimestamp | LAST_STARTED |
lastStopTimestamp | LAST_STOPPED |
metadata.items[] where key=block-project-ssh-keys (defaults to false if absent) | BLOCK_PROJECT_SSH_KEYS |
metadata.items[] where key=enable-oslogin (defaults to false if absent) | ENABLE_OSLOGIN |
metadata.items[] where key=ssh-keys (one entry per line) | SSH_KEYS |
networkInterfaces[0].accessConfigs[].natIP | PUBLIC_IP_ADDRESSES |
networkInterfaces[0].accessConfigs[].networkTier | NETWORK_TIER |
networkInterfaces[0].networkIP | PRIVATE_IP_ADDRESSES |
networkInterfaces[0].stacktype | STACK_TYPE |
reservationAffinity.consumeReservationType | CONSUME_RESERVATION_TYPE |
scheduling.automaticRestart | AUTO_RESTART |
scheduling.onHostMaintenance | ON_HOST_MAINTENANCE |
scheduling.preemptible | PREEMPTIBLE |
scheduling.provisioningModel | PROVISIONING_MODEL |
selfLink | URL |
serviceAccounts[].email | EMAILS |
shieldedInstanceConfig.enableIntegrityMonitoring | ENABLE_INTEGRITY_MONITORING |
shieldedInstanceConfig.enableSecureBoot | ENABLE_SECURE_BOOT |
shieldedInstanceConfig.enableVtpm | ENABLE_VTPM |
startRestricted | START_RESTRICTED |
status | STATUS / SOURCE_STATUS |
sync timestamp (Instant.now()) | LAST_CAPTURED |
tags.items[] | NETWORK_TAGS |
| union of private + public | IP_ADDRESSES |
union of tags.items[] and labels (k:v) | TAGS |
Firewall
| Source Field Name | SDM Attribute |
|---|---|
allowed[] flattened to proto:port (or proto) | ALLOWED_RULES |
Asset.ancestors[] | ANCESTORS |
Asset.id or Asset.name | UID |
Asset.resource.version | CURRENT_VERSION |
Asset.updateTime | SOURCE_LAST_MODIFIED |
creationTimestamp | FIRST_SEEN |
denied[] flattened to proto:port | DENIED_RULES |
description | DESCRIPTION |
direction | DIRECTION |
disabled | DISABLED |
| kind + assetType + ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
last segment of Asset.name | NAME / SOURCE_NAME |
| last segment of network | NETWORK |
logConfig.enable | LOG_CONFIG |
priority | PRIORITY |
selfLink | URL |
sourceRanges[] | SOURCE_RANGES |
sync timestamp (Instant.now()) | LAST_CAPTURED |
targetServiceAccounts[] | TARGET_SERVICE_ACCOUNTS |
targetTags[] | TAGS |
Disk
| Source Field Name | SDM Attribute |
|---|---|
Asset.* | UID / NAME / SOURCE_NAME / ANCESTORS / URL / CURRENT_VERSION / SOURCE_LAST_MODIFIED |
| assetType + ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
creationTimestamp | FIRST_SEEN |
derived from diskEncryptionKey (true if struct present) | KMS_ENCRYPTED |
description | DESCRIPTION |
diskEncryptionKey.kmsKeyName | KMS_KEY_NAME |
labels (k:v) | TAGS |
region | REGION |
sizeGb (parsed string-or-number to Double) | SIZE_GB |
sourceImage | SOURCE_IMAGE |
status | STATUS |
sync timestamp (Instant.now()) | LAST_CAPTURED |
type | TYPE |
users[] | USERS |
zone | ZONE |
Address
| Source Field Name | SDM Attribute |
|---|---|
address | IP_ADDRESS |
addressType | ADDRESS_TYPE |
Asset.* | UID / NAME / SOURCE_NAME / ANCESTORS / URL / CURRENT_VERSION / SOURCE_LAST_MODIFIED |
| assetType + ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
creationTimestamp | FIRST_SEEN |
description | DESCRIPTION |
network | NETWORK |
purpose | PURPOSE |
region | REGION |
status | STATUS |
subnetwork | SUBNETWORK |
sync timestamp (Instant.now()) | LAST_CAPTURED |
users[] | USERS |
Network
| Source Field Name | SDM Attribute |
|---|---|
Asset.* | UID / NAME / SOURCE_NAME / ANCESTORS / URL / CURRENT_VERSION / SOURCE_LAST_MODIFIED |
| assetType + ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
autoCreateSubnetworks | AUTO_CREATE_SUBNETWORKS |
creationTimestamp | FIRST_SEEN |
description | DESCRIPTION |
flattened peerings[] (name | PEERINGS |
peerings[].network | PEERED_NETWORKS |
routingConfig.routingMode | ROUTING_MODE |
sync timestamp (Instant.now()) | LAST_CAPTURED |
Node Pool
| Source Field Name | SDM Attribute |
|---|---|
Asset.* | UID / NAME / SOURCE_NAME / ANCESTORS / URL / CURRENT_VERSION / SOURCE_LAST_MODIFIED |
| assetType + ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
config.diskType | DISK_TYPE |
config.machineType | MACHINE_TYPE |
config.oauthScopes[] | OAUTH_SCOPES |
config.serviceAccount | EMAILS |
config.tags[] | TAGS |
management.autoRepair | AUTO_REPAIR |
management.autoUpgrade | AUTO_UPGRADE |
status | STATUS |
sync timestamp (Instant.now()) | LAST_CAPTURED |
version | VERSION |
Compute Project
| Source Field Name | SDM Attribute |
|---|---|
Asset.* | UID / NAME / SOURCE_NAME / ANCESTORS / URL / CURRENT_VERSION / SOURCE_LAST_MODIFIED |
| assetType + ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
commonInstanceMetadata.items[] where key=block-project-ssh-keys (defaults to false) | BLOCK_PROJECT_SSH_KEYS |
commonInstanceMetadata.items[] where key=enable-oslogin (defaults to false) | ENABLE_OSLOGIN |
commonInstanceMetadata.items[] where key=ssh-keys | PROJECT_SSH_KEYS |
creationTimestamp | FIRST_SEEN |
defaultNetworkTier | DEFAULT_NETWORK_TIER |
defaultServiceAccount | DEFAULT_SERVICE_ACCOUNT |
sync timestamp (Instant.now()) | LAST_CAPTURED |
GKECluster
| Source Field Name | SDM Attribute |
|---|---|
Asset.* | UID / NAME / SOURCE_NAME / ANCESTORS / URL / CURRENT_VERSION / SOURCE_LAST_MODIFIED |
| assetType + ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
clusterIpv4Cidr | CLUSTER_IPV4_CIDR |
createTime | FIRST_SEEN |
currentMasterVersion | CURRENT_MASTER_VERSION |
currentNodeCount | CURRENT_NODE_COUNT |
currentNodeVersion | CURRENT_NODE_VERSION |
description | DESCRIPTION |
enableKubernetesAlpha | ENABLE_KUBERNETES_ALPHA |
enableTpu | ENABLE_TPU |
endpoint | ENDPOINT |
etag | TAGS |
expireTime | EXPIRE_TIME |
initialClusterVersion | INITIAL_CLUSTER_VERSION |
initialNodeCount | INITIAL_NODE_COUNT |
instanceGroupUrls | INSTANCE_GROUP_URLS |
labelFingerprint | LABEL_FINGERPRINT |
location | LOCATION |
loggingService | LOGGING_SERVICE |
masterAuthorizedNetworksConfig.cidrBlocks[].cidrBlock | MASTER_AUTHORIZED_NETWORKS_CIDRS |
masterAuthorizedNetworksConfig.enabled (defaults to false) | MASTER_AUTHORIZED_NETWORKS_ENABLED |
monitoringService | MONITORING_SERVICE |
network | NETWORK |
nodeIpv4CidrSize | NODE_IPV4_CIDR_SIZE |
privateClusterConfig.enablePrivateEndpoint (defaults to false) | ENABLE_PRIVATE_ENDPOINT |
privateClusterConfig.enablePrivateNodes (defaults to false) | ENABLE_PRIVATE_NODES |
satisfiesPzi | SATISFIES_PZI |
satisfiesPzs | SATISFIES_PZS |
servicesIpv4Cidr | SERVICES_IPV4_CIDR |
status | STATUS / SOURCE_STATUS |
statusMessage | STATUS_MESSAGE |
subnetwork | SUB_NETWORK |
sync timestamp (Instant.now()) | LAST_CAPTURED |
tpuIpv4CidrBlock | TPU_IPV4_CIDR_BLOCK |
zone | ZONE |
K8s Namespace
| Source Field Name | SDM Attribute |
|---|---|
| <cluster> | UID |
| cluster reference | CLUSTER |
| K8s Namespace + ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
metadata.creationTimestamp | FIRST_SEEN |
metadata.labels (k:v) | TAGS |
metadata.name | NAME |
status.phase | PHASE |
K8s Pod
| Source Field Name | SDM Attribute |
|---|---|
| <cluster> | UID |
derived | CLUSTER / NAMESPACE |
| K8s Pod + ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
metadata.creationTimestamp | FIRST_SEEN |
metadata.labels (k:v) | TAGS |
metadata.name | NAME |
spec.containers[].image | IMAGES |
spec.hostNetwork | HOST_NETWORK |
spec.nodeName | NODE_NAME |
spec.serviceAccountName | SERVICE_ACCOUNT_NAME |
status.hostIP | HOST_IP |
status.phase | PHASE |
status.podIP | POD_IP |
K8s ServiceAccount
| Source Field Name | SDM Attribute |
|---|---|
| <cluster> | UID |
automountServiceAccountToken | AUTOMOUNT_TOKEN |
derived | CLUSTER / NAMESPACE |
| K8s ServiceAccount + ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
metadata.annotations['iam.gke.io/gcp-service-account'] | GCP_SERVICE_ACCOUNT |
metadata.creationTimestamp | FIRST_SEEN |
metadata.labels (k:v) | TAGS |
metadata.name | NAME |
K8s Service
| Source Field Name | SDM Attribute |
|---|---|
| <cluster> | UID |
| as above | NAME / CLUSTER / NAMESPACE / FIRST_SEEN / CATEGORIES / TAGS |
spec.clusterIP | CLUSTER_IP |
spec.externalIPs[] | EXTERNAL_IPS |
spec.ports[] flattened to proto:port[->targetPort][/nodePort] | PORTS |
spec.type | TYPE |
status.loadBalancer.ingress[].ip + .hostname | LOAD_BALANCER_IPS |
K8s Ingress
| Source Field Name | SDM Attribute |
|---|---|
| as above | UID / NAME / CLUSTER / NAMESPACE / FIRST_SEEN / CATEGORIES / TAGS |
spec.ingressClassName | INGRESS_CLASS |
spec.rules[].host | HOSTS |
spec.rules[].http.paths[] flattened to host | PATHS |
spec.tls[].hosts[] | TLS_HOSTS |
status.loadBalancer.ingress[].ip + .hostname | LOAD_BALANCER_IPS |
K8s Deployment
| Source Field Name | SDM Attribute |
|---|---|
| as above | UID / NAME / CLUSTER / NAMESPACE / FIRST_SEEN / CATEGORIES / TAGS |
spec.replicas | REPLICAS |
spec.strategy.type | STRATEGY |
spec.template.spec.containers[].image | IMAGES |
spec.template.spec.serviceAccountName | SERVICE_ACCOUNT_NAME |
status.readyReplicas | READY_REPLICAS |
K8s DaemonSet
| Source Field Name | SDM Attribute |
|---|---|
| as above | UID / NAME / CLUSTER / NAMESPACE / FIRST_SEEN / CATEGORIES / TAGS |
spec.template.spec.containers[].image | IMAGES |
spec.template.spec.hostNetwork | HOST_NETWORK |
spec.template.spec.serviceAccountName | SERVICE_ACCOUNT_NAME |
status.currentNumberScheduled | CURRENT_NUMBER |
status.desiredNumberScheduled | DESIRED_NUMBER |
K8s Role
| Source Field Name | SDM Attribute |
|---|---|
| <cluster> | UID |
| as above | NAME / CLUSTER / NAMESPACE / FIRST_SEEN / CATEGORIES / TAGS |
derived | CLUSTER_SCOPED |
rules[] flattened to apiGroups | RULES |
union of rules[].verbs[] | VERBS |
K8s RoleBinding
| Source Field Name | SDM Attribute |
|---|---|
| <cluster> | UID |
| as above | NAME / CLUSTER / NAMESPACE / FIRST_SEEN / CATEGORIES / TAGS |
derived | CLUSTER_SCOPED |
roleRef.kind:name | ROLE_REF |
subjects[] flattened to kind:namespace/name | SUBJECTS |
Cloud Run Service
| Source Field Name | SDM Attribute |
|---|---|
Asset.* | UID / NAME / SOURCE_NAME / ANCESTORS / URL / CURRENT_VERSION / SOURCE_LAST_MODIFIED |
| assetType + ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
| first entry of URLS | URL |
metadata.annotations['run.googleapis.com/ingress'] | INGRESS |
metadata.annotations['run.googleapis.com/urls'] parsed JSON array | URLS |
metadata.annotations['serving.knative.dev/creator'] | CREATOR |
metadata.annotations['serving.knative.dev/lastModifier'] | LAST_MODIFIER |
metadata.creationTimestamp | FIRST_SEEN |
metadata.labels (k:v) | TAGS |
spec.template.spec.containers[].image | IMAGES |
spec.template.spec.serviceAccountName | EMAILS |
status.conditions[where type==Ready].status | STATUS |
status.latestReadyRevisionName | LATEST_READY_REVISION |
sync timestamp (Instant.now()) | LAST_CAPTURED |
Cloud Function
| Source Field Name | SDM Attribute |
|---|---|
Asset.* | UID / NAME / SOURCE_NAME / ANCESTORS / URL / CURRENT_VERSION / SOURCE_LAST_MODIFIED |
| assetType + ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
buildConfig.entryPoint | ENTRY_POINT |
buildConfig.environmentVariables flattened to key=value | BUILD_ENVIRONMENT_VARIABLES |
buildConfig.runtime | RUNTIME |
buildConfig.serviceAccount | BUILD_SERVICE_ACCOUNT |
createTime | FIRST_SEEN |
description | DESCRIPTION |
eventTrigger.eventType | EVENT_TRIGGER_TYPE |
labels (k:v) | TAGS |
serviceConfig.environmentVariables flattened to key=value | ENVIRONMENT_VARIABLES |
serviceConfig.ingressSettings | INGRESS_SETTINGS |
serviceConfig.secretEnvironmentVariables[] flattened to key=secret/version | SECRET_ENVIRONMENT_VARIABLES |
serviceConfig.serviceAccountEmail | EMAILS |
serviceConfig.uri | TRIGGER_URL |
state | STATUS |
sync timestamp (Instant.now()) | LAST_CAPTURED |
url | URL |
App Engine Application
| Source Field Name | SDM Attribute |
|---|---|
Asset.* | UID / NAME / SOURCE_NAME / ANCESTORS / URL / CURRENT_VERSION / SOURCE_LAST_MODIFIED |
| assetType + ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
databaseType | DATABASE_TYPE |
defaultBucket | DEFAULT_BUCKET |
defaultCookieExpiration | DEFAULT_COOKIE_EXPIRATION |
defaultHostname | PUBLIC_DNS_NAMES |
dispatchRules[] flattened to domain | DISPATCH_RULES |
iap.enabled | IAP_ENABLED |
locationId | LOCATION |
servingStatus | STATUS / SERVING_STATUS |
sync timestamp (Instant.now()) | LAST_CAPTURED |
SQL Instance
| Source Field Name | SDM Attribute |
|---|---|
Asset.* | UID / NAME / SOURCE_NAME / ANCESTORS / URL / CURRENT_VERSION / SOURCE_LAST_MODIFIED |
| assetType + kind + ASSET_CATEGORY_HOST | CATEGORIES |
createTime | FIRST_SEEN |
derived from dnsNames[].name | PUBLIC_DNS_NAMES / PRIVATE_DNS_NAMES |
derived from ipAddresses[].ipAddress (RFC1918 check) | PUBLIC_IP_ADDRESSES / PRIVATE_IP_ADDRESSES |
dnsNames[].connectionType | DNS_CONNECTION_TYPE |
dnsNames[].dnsScope | DNS_SCOPE |
dnsNames[].name | DNS_NAMES |
ipAddresses[].ipAddress | IP_ADDRESSES |
ipAddresses[].type | IP_ADDRESS_TYPE |
satisfiesPzi | SATISFIES_PZI |
serverCaCert.* | FINGERPRINT / INSTANCE / CERT_EXPIRATION_TIME / CERT_CREATE_TIME / CERT_COMMON_NAME / CERT_SERIAL_NUMBER |
serviceAccountEmailAddress | EMAILS |
settings.* | TIER / STORAGE_AUTO_RESIZE / STORAGE_AUTO_RESIZE_LIMIT / SETTINGS_VERSION / RETAIN_BACKUPS_ON_DELETE / REPLICATION_TYPE / REPLICATION_LAG_MAX_SECONDS / PRICING_PLAN / EDITION / DELETION_PROTECTION_ENABLED / DATA_DISK_TYPE / DATA_DISK_SIZE_GB / CONNECTOR_ENFORCEMENT / AVAILABILITY_TYPE / ACTIVATION_POLICY |
settings.backupConfiguration.* | BACKUP_TRANSACTIONAL_LOG_STORAGE_STATE / BACKUP_TRANSACTION_LOG_RETENTION_DAYS / BACKUP_START_TIME / BACKUP_LOCATION / BACKUP_ENABLED / BACKUP_BINARY_LOG_ENABLED / BACKUP_TIER |
settings.backupConfiguration.backupRetentionSettings.* | BACKUP_RETENTION_UNIT / BACKUP_RETAINED_BACKUPS |
settings.finalBackupConfig.* | FINAL_BACKUP_RETENTION_DAYS / FINAL_BACKUP_ENABLED |
settings.ipConfiguration.* | SSL_MODE / SERVER_CA_MODE / REQUIRE_SSL / IPV4_ENABLED |
settings.ipConfiguration.authorizedNetworks[].value | AUTHORIZED_NETWORKS |
settings.locationPreference.zone | ZONE |
settings.maintenanceWindow.* | SQL_UPDATE_TRACK / MAINTENANCE_WINDOW_HOUR / MAINTENANCE_WINDOW_DAY |
sqlNetworkArchitecture | SQL_NETWORK_ARCHITECTURE |
state | STATUS / SOURCE_STATUS |
| top-level fields | REGION / PROJECT / MAINTENANCE_VERSION / INSTANCE_TYPE / INCLUDE_REPLICAS_FOR_MAJOR_VERSION_UPGRADE / GCE_ZONE / DATABASE_VERSION / DATABASE_INSTALLED_VERSION / CONNECTION_NAME / BACKEND_TYPE |
Forwarding Rule
| Source Field Name | SDM Attribute |
|---|---|
Asset.* | UID / NAME / SOURCE_NAME / ANCESTORS / URL / CURRENT_VERSION / SOURCE_LAST_MODIFIED |
| assetType + ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
backendService | BACKEND_SERVICE |
creationTimestamp | FIRST_SEEN |
| derived from loadBalancingScheme == EXTERNAL or EXTERNAL_MANAGED | IS_EXTERNAL |
description | DESCRIPTION |
IPAddress (when EXTERNAL) | PUBLIC_IP_ADDRESSES |
| IPProtocol | IP_PROTOCOL |
loadBalancingScheme | LOAD_BALANCING_SCHEME |
network | NETWORK |
portRange | PORT_RANGE |
ports[] | PORTS |
region | REGION |
subnetwork | SUBNETWORK |
sync timestamp (Instant.now()) | LAST_CAPTURED |
target | TARGET |
Backend Service
| Source Field Name | SDM Attribute |
|---|---|
Asset.* | UID / NAME / SOURCE_NAME / ANCESTORS / URL / CURRENT_VERSION / SOURCE_LAST_MODIFIED |
| assetType + ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
backends[].group | BACKENDS |
creationTimestamp | FIRST_SEEN |
description | DESCRIPTION |
healthChecks[] | HEALTH_CHECKS |
loadBalancingScheme | LOAD_BALANCING_SCHEME |
portName | PORT_NAME |
protocol | PROTOCOL |
region | REGION |
securityPolicy | SECURITY_POLICY |
sessionAffinity | SESSION_AFFINITY |
sync timestamp (Instant.now()) | LAST_CAPTURED |
Target Pool
| Source Field Name | SDM Attribute |
|---|---|
Asset.* | UID / NAME / SOURCE_NAME / ANCESTORS / URL / CURRENT_VERSION / SOURCE_LAST_MODIFIED |
| assetType + ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
backupPool | BACKUP_POOL |
creationTimestamp | FIRST_SEEN |
description | DESCRIPTION |
healthChecks[] | HEALTH_CHECKS |
instances[] | INSTANCES |
region | REGION |
sessionAffinity | SESSION_AFFINITY |
sync timestamp (Instant.now()) | LAST_CAPTURED |
Instance Group
| Source Field Name | SDM Attribute |
|---|---|
Asset.* | UID / NAME / SOURCE_NAME / ANCESTORS / URL / CURRENT_VERSION / SOURCE_LAST_MODIFIED |
| assetType + ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
creationTimestamp | FIRST_SEEN |
description | DESCRIPTION |
namedPorts[] flattened to name:port | NAMED_PORTS |
network | NETWORK |
region | REGION |
size | SIZE |
subnetwork | SUBNETWORK |
sync timestamp (Instant.now()) | LAST_CAPTURED |
zone | ZONE |
IAM Binding
| Source Field Name | SDM Attribute |
|---|---|
Asset.assetType | POLICY_RESOURCE_TYPE |
Asset.name | POLICY_RESOURCE |
Binding.condition.expression | CONDITION_EXPRESSION |
Binding.condition.title | CONDITION_TITLE |
Binding.role | ROLE |
| composite <policyResource> | UID |
derived | ROLE_TYPE |
derived | MEMBER_TYPE |
iam.googleapis.com/Binding + ASSET_CATEGORY_CLOUD_RESOURCE | CATEGORIES |
iam.googleapis.com/Role asset's includedPermissions[] | PERMISSIONS |
one entry per Binding.members[] | MEMBER |
| same as UID | NAME |
| sync timestamp | SOURCE_LAST_MODIFIED |
sync timestamp (Instant.now()) | LAST_CAPTURED |
Operations & API
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
Vulnerability
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Vulnerability on every run and applies no incremental date filter.
API
- Type: REST — Security Command Center (ListFindings) · Endpoint:
POST https://securitycenter.googleapis.com/v1/{parent=organizations/*/sources/-}/findings:list
Vulnerability Definition
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Vulnerability Definition on every run and applies no incremental date filter.
API
- Type: REST — Security Command Center (ListFindings) · Endpoint:
POST https://securitycenter.googleapis.com/v1/{parent=organizations/*/sources/-}/findings:list
Violation
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Violation on every run and applies no incremental date filter.
API
- Type: REST — Security Command Center (ListFindings) · Endpoint:
POST https://securitycenter.googleapis.com/v1/{parent=organizations/*/sources/-}/findings:list
Violation Definition
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Violation Definition on every run and applies no incremental date filter.
API
- Type: REST — Security Command Center (ListFindings) · Endpoint:
POST https://securitycenter.googleapis.com/v1/{parent=organizations/*/sources/-}/findings:list
Alert
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Alert on every run and applies no incremental date filter.
API
- Type: REST — Security Command Center (ListFindings) · Endpoint:
POST https://securitycenter.googleapis.com/v1/{parent=organizations/*/sources/-}/findings:list
Alert Definition
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Alert Definition on every run and applies no incremental date filter.
API
- Type: REST — Security Command Center (ListFindings) · Endpoint:
POST https://securitycenter.googleapis.com/v1/{parent=organizations/*/sources/-}/findings:list
Project
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Project on every run and applies no incremental date filter.
API
- Type: REST — Cloud Asset Inventory (ListAssets, RESOURCE content type) · Endpoint:
POST https://cloudasset.googleapis.com/v1/{parent=*/*}/assets:list?contentType=RESOURCE&assetTypes=cloudresourcemanager.googleapis.com/Project
Bucket
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Bucket on every run and applies no incremental date filter.
API
- Type: REST — Cloud Asset Inventory (ListAssets, RESOURCE content type) · Endpoint:
POST https://cloudasset.googleapis.com/v1/{parent}/assets:list?contentType=RESOURCE&assetTypes=storage.googleapis.com/Bucket
Repository
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Repository on every run and applies no incremental date filter.
API
- Type: REST — Cloud Asset Inventory (ListAssets, RESOURCE content type) · Endpoint:
POST https://cloudasset.googleapis.com/v1/{parent}/assets:list?contentType=RESOURCE&assetTypes=artifactregistry.googleapis.com/Repository
ServiceAccount
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of ServiceAccount on every run and applies no incremental date filter.
API
- Type: REST — Cloud Asset Inventory (ListAssets, RESOURCE content type) · Endpoint:
POST https://cloudasset.googleapis.com/v1/{parent}/assets:list?contentType=RESOURCE&assetTypes=iam.googleapis.com/ServiceAccount
Compute Instance
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Compute Instance on every run and applies no incremental date filter.
API
- Type: REST — Cloud Asset Inventory (ListAssets, RESOURCE content type) · Endpoint:
POST https://cloudasset.googleapis.com/v1/{parent}/assets:list?contentType=RESOURCE&assetTypes=compute.googleapis.com/Instance
Firewall
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Firewall on every run and applies no incremental date filter.
API
- Type: REST — Cloud Asset Inventory (ListAssets, RESOURCE content type) · Endpoint:
POST https://cloudasset.googleapis.com/v1/{parent}/assets:list?contentType=RESOURCE&assetTypes=compute.googleapis.com/Firewall
Disk
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Disk on every run and applies no incremental date filter.
API
- Type: REST — Cloud Asset Inventory (ListAssets, RESOURCE content type) · Endpoint:
POST https://cloudasset.googleapis.com/v1/{parent}/assets:list?contentType=RESOURCE&assetTypes=compute.googleapis.com/Disk
Address
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Address on every run and applies no incremental date filter.
API
- Type: REST — Cloud Asset Inventory (ListAssets, RESOURCE content type) · Endpoint:
POST https://cloudasset.googleapis.com/v1/{parent}/assets:list?contentType=RESOURCE&assetTypes=compute.googleapis.com/Address
Network
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Network on every run and applies no incremental date filter.
API
- Type: REST — Cloud Asset Inventory (ListAssets, RESOURCE content type) · Endpoint:
POST https://cloudasset.googleapis.com/v1/{parent}/assets:list?contentType=RESOURCE&assetTypes=compute.googleapis.com/Network
Node Pool
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Node Pool on every run and applies no incremental date filter.
API
- Type: REST — Cloud Asset Inventory (ListAssets, RESOURCE content type) · Endpoint:
POST https://cloudasset.googleapis.com/v1/{parent}/assets:list?contentType=RESOURCE&assetTypes=container.googleapis.com/NodePool
Compute Project
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Compute Project on every run and applies no incremental date filter.
API
- Type: REST — Cloud Asset Inventory (ListAssets, RESOURCE content type) · Endpoint:
POST https://cloudasset.googleapis.com/v1/{parent}/assets:list?contentType=RESOURCE&assetTypes=compute.googleapis.com/Project
GKECluster
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of GKECluster on every run and applies no incremental date filter.
API
- Type: REST — Cloud Asset Inventory (ListAssets, RESOURCE content type) · Endpoint:
POST https://cloudasset.googleapis.com/v1/{parent}/assets:list?contentType=RESOURCE&assetTypes=container.googleapis.com/Cluster
K8s Namespace
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of K8s Namespace on every run and applies no incremental date filter.
API
- Type: REST — Kubernetes API server (per cluster) · Endpoint:
GET /api/v1/namespaces
K8s Pod
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of K8s Pod on every run and applies no incremental date filter.
API
- Type: REST — Kubernetes API server (per cluster) · Endpoint:
GET /api/v1/pods
K8s ServiceAccount
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of K8s ServiceAccount on every run and applies no incremental date filter.
API
- Type: REST — Kubernetes API server (per cluster) · Endpoint:
GET /api/v1/serviceaccounts
K8s Service
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of K8s Service on every run and applies no incremental date filter.
API
- Type: REST — Kubernetes API server (per cluster) · Endpoint:
GET /api/v1/services
K8s Ingress
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of K8s Ingress on every run and applies no incremental date filter.
API
- Type: REST — Kubernetes API server (per cluster) · Endpoint:
GET /apis/networking.k8s.io/v1/ingresses
K8s Deployment
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of K8s Deployment on every run and applies no incremental date filter.
API
- Type: REST — Kubernetes API server (per cluster) · Endpoint:
GET /apis/apps/v1/deployments
K8s DaemonSet
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of K8s DaemonSet on every run and applies no incremental date filter.
API
- Type: REST — Kubernetes API server (per cluster) · Endpoint:
GET /apis/apps/v1/daemonsets
K8s Role
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of K8s Role on every run and applies no incremental date filter.
API
- Type: REST — Kubernetes API server (per cluster) · Endpoint:
GET /apis/rbac.authorization.k8s.io/v1/roles
K8s RoleBinding
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of K8s RoleBinding on every run and applies no incremental date filter.
API
- Type: REST — Kubernetes API server (per cluster) · Endpoint:
GET /apis/rbac.authorization.k8s.io/v1/rolebindings
Cloud Run Service
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Cloud Run Service on every run and applies no incremental date filter.
API
- Type: REST — Cloud Asset Inventory (ListAssets, RESOURCE content type) · Endpoint:
POST https://cloudasset.googleapis.com/v1/{parent}/assets:list?contentType=RESOURCE&assetTypes=run.googleapis.com/Service
Cloud Function
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Cloud Function on every run and applies no incremental date filter.
API
- Type: REST — Cloud Asset Inventory (ListAssets, RESOURCE content type) · Endpoint:
POST https://cloudasset.googleapis.com/v1/{parent}/assets:list?contentType=RESOURCE&assetTypes=cloudfunctions.googleapis.com/Function
App Engine Application
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of App Engine Application on every run and applies no incremental date filter.
API
- Type: REST — Cloud Asset Inventory (ListAssets, RESOURCE content type) · Endpoint:
POST https://cloudasset.googleapis.com/v1/{parent}/assets:list?contentType=RESOURCE&assetTypes=appengine.googleapis.com/Application
SQL Instance
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of SQL Instance on every run and applies no incremental date filter.
API
- Type: REST — Cloud Asset Inventory (ListAssets, RESOURCE content type) · Endpoint:
POST https://cloudasset.googleapis.com/v1/{parent}/assets:list?contentType=RESOURCE&assetTypes=sqladmin.googleapis.com/Instance
Forwarding Rule
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Forwarding Rule on every run and applies no incremental date filter.
API
- Type: REST — Cloud Asset Inventory (ListAssets, RESOURCE content type) · Endpoint:
POST https://cloudasset.googleapis.com/v1/{parent}/assets:list?contentType=RESOURCE&assetTypes=compute.googleapis.com/ForwardingRule
Backend Service
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Backend Service on every run and applies no incremental date filter.
API
- Type: REST — Cloud Asset Inventory (ListAssets, RESOURCE content type) · Endpoint:
POST https://cloudasset.googleapis.com/v1/{parent}/assets:list?contentType=RESOURCE&assetTypes=compute.googleapis.com/BackendService
Target Pool
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Target Pool on every run and applies no incremental date filter.
API
- Type: REST — Cloud Asset Inventory (ListAssets, RESOURCE content type) · Endpoint:
POST https://cloudasset.googleapis.com/v1/{parent}/assets:list?contentType=RESOURCE&assetTypes=compute.googleapis.com/TargetPool
Instance Group
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Instance Group on every run and applies no incremental date filter.
API
- Type: REST — Cloud Asset Inventory (ListAssets, RESOURCE content type) · Endpoint:
POST https://cloudasset.googleapis.com/v1/{parent}/assets:list?contentType=RESOURCE&assetTypes=compute.googleapis.com/InstanceGroup
IAM Binding
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of IAM Binding on every run and applies no incremental date filter.
API
- Type: REST — Cloud Asset Inventory (ListAssets, IAM_POLICY content type) · Endpoint:
POST https://cloudasset.googleapis.com/v1/{parent}/assets:list?contentType=IAM_POLICY
Changelog
The Google Security Command Center connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.3.2 | New Features - GCP project and folder exclusions — Two new configuration fields, Excluded Project IDs and Excluded Folder IDs, allow administrators to filter out specific GCP projects and folders from all syncs. Both bare IDs (e.g., 12345) and fully-qualified names (e.g., projects/12345, folders/67890) are accepted. Excluding a folder automatically excludes all projects nested within it. Improvements - Alert Definition, Violation Definition, and Vulnerability Definition models now include a Last Captured attribute, recording the timestamp at which each definition record was last observed during a sync. - All custom attributes now correctly participate in platform consolidation and priority resolution. Previously, custom attribute definitions were built with the raw AttributeInfoBuilder, which omitted the required ORDER_CRITERIA mapping and caused silent merge behavior issues. | N/A |
| 3.3.1 | Bug Fixes - Fixed connector failures during Google Cloud operations on certain platform versions. A dependency packaging issue caused the connector to rely on the platform's internal libraries, leading to initialization errors on platforms 11.x and 12.x. The connector now bundles all required dependencies independently. | N/A |
| 3.3.0 | New Features - Compute Engine coverage — Five new asset models for compute-side blast-radius analysis: Address (static external IPs and current users), Disk (size, type, KMS, attached instances), Network (VPC autoCreateSubnetworks, peerings, routing mode), Node Pool (GKE node-pool machine type, OAuth scopes, service account), and Compute Project (project-wide SSH keys, OS Login default, block-project-keys). The existing Compute Instance model also now captures per-instance SSH keys, OS Login, and block-project-ssh-keys metadata - Serverless coverage — New asset models for Google Cloud's managed runtimes: Cloud Run Service (ingress, container images, runtime service account), Cloud Function (Gen2, ingress settings, environment variables, build service account), and App Engine Application (serving status, default hostname, IAP, dispatch rules) - Load-balancer chain — Four new asset models that capture the full GCP load-balancer graph end-to-end: Forwarding Rule, Backend Service, Target Pool, and Instance Group. Brinqa can now follow a public forwarding rule all the way to its backing instances when computing blast radius - IAM-binding resolution — A new IAM Binding model that materialises every (principal, role, resource) tuple from project, folder, organization, bucket, function, Cloud Run, and App Engine IAM policies. Enables direct queries like "who can act on this resource" without joining raw IAM policies. New expandCustomRoles operation option inlines includedPermissions[] from custom roles so they can be searched at the same granularity as predefined roles - Kubernetes integration — In-cluster inventory across every reachable GKE cluster discovered via Cloud Asset Inventory. The connector authenticates with the configured GCP service account and pulls nine Kubernetes resource kinds — Namespace, Pod, Service Account, Service, Ingress, Deployment, DaemonSet, Role, RoleBinding — for full posture coverage. Workload Identity annotations on Kubernetes Service Accounts are surfaced as a GCP_SERVICE_ACCOUNT attribute, enabling joins between in-cluster identities and GCP IAM. Per-cluster failures (auth, RBAC, network) are logged and skipped; sync continues across reachable clusters Improvements - Exposure-analysis fields on existing models — GKE Cluster gains private-endpoint, private-nodes, and master-authorized-networks (enabled flag + CIDR list) attributes. Firewall gains allowed/denied rule lists (flattened to proto:port entries) and target service accounts. Cloud SQL gains an authorized-networks CIDR list - Optional category filter for Security Command Center findings — A new category operation option lets administrators target Violation and Alert syncs at specific finding categories (e.g. EXPOSED_HTTP_INTERFACE,PUBLIC_IP_ADDRESS). Off by default — finding categories vary by SCC tier | N/A |
| 3.2.16 | No changes in this release. | N/A |
| 3.2.15 | No changes in this release. | N/A |
| 3.2.14 | No changes in this release. | N/A |
| 3.2.13 | No changes in this release. | N/A |
| 3.2.12 | Improvements - Security findings now resolve to clearer, human-readable definition names using a built-in catalog of common Google Cloud finding categories, with automatic fallback to the finding's own description and recommended next steps when a category is not catalogued. | N/A |
| 3.2.11 | Improvements Dependency Upgrades - Updated bundled Google Cloud client libraries and resolved a grpc-api dependency conflict to improve runtime stability. | N/A |
| 3.2.10 | Improvements - Vulnerability findings now include affected and fixed package details (package name, version, type, and CPE), making it easier to understand and remediate each finding. | N/A |
| 3.2.9 | No changes in this release. | N/A |
| 3.2.8 | No changes in this release. | N/A |
| 3.2.7 | New Features - Added a SQL Instance asset model that captures Cloud SQL configuration relevant to security posture, including backup settings, availability and edition, certificate details, deletion protection, and public IP exposure. | N/A |
| 3.2.6 | Improvements - Source severity on findings is now reported as a readable severity name (e.g. HIGH) instead of a numeric code. | • Alert, Vulnerability, Violation: The source severity value changed from a numeric code to a text label. Re-sync the connector so existing findings are repopulated with the new severity values. |
| 3.2.5 | No changes in this release. | N/A |
| 3.2.4 | New Features - Added a Code Repository asset model to capture source repositories surfaced by Security Command Center. Improvements - Storage Bucket assets now capture additional security-relevant configuration, including uniform bucket-level access and public access prevention. | N/A |
| 3.2.3 | No changes in this release. | N/A |
| 3.2.2 | Improvements - The bucket "enable display" attribute is now represented as a true/false value, and the ancestors attribute now supports multiple values. | • Bucket: The "enable display" attribute changed from text to a true/false (Boolean) type. Re-sync the connector so existing Bucket records are repopulated with the new data type. |
| 3.2.1 | No changes in this release. | N/A |
| 3.2.0 | New Features - Security Command Center findings are now classified into dedicated models — Alert / Alert Definition, Vulnerability / Vulnerability Definition, and Violation / Violation Definition — for clearer posture and compliance reporting. - Added asset models for Project, GKE Cluster, and Service Account to broaden inventory coverage. | • Finding, Finding Definition: These models were retired and replaced by the category-specific Alert, Vulnerability, and Violation models (and their definitions). Purge the retired Finding and Finding Definition data and re-sync the connector to repopulate findings under the new models. |
| 3.1.3 | No changes in this release. | N/A |
| 3.1.1 | Improvements - Findings that reference a CVE now include the associated CVE identifiers and CVE records, enabling correlation with vulnerability data. | N/A |
| 3.1.0 | Improvements - Security Command Center asset and finding models were reworked with a richer, more consistent attribute schema, including additional context attributes such as resource ancestors and source name. | N/A |
| 3.0.10 | No changes in this release. | N/A |
| 3.0.9 | No changes in this release. | N/A |
| 3.0.8 | No changes in this release. | N/A |
| 3.0.7 | No changes in this release. | N/A |
| 3.0.6 | Improvements Dependency Upgrades - Updated bundled data-model dependencies. | N/A |
| 3.0.5 | No changes in this release. | N/A |
| 3.0.4 | No changes in this release. | N/A |
| 3.0.3 | Improvements Dependency Upgrades - Updated bundled data-model dependencies. | N/A |
| 3.0.2 | No changes in this release. | N/A |
| 3.0.1 | No changes in this release. | N/A |
| 3.0.0 | Overview The Security Command Center connector integrates with Google Cloud's Security Command Center to synchronize cloud infrastructure assets and security findings across your Google Cloud organization. Category: Google Cloud Models | N/A |