Skip to main content
GCP Security Command Center monitors ingest active SCC findings through Pub/Sub push delivery. Each monitor is scoped to one SCC organization, folder, or project and one SCC location.

What Clarion ingests

Clarion creates alerts for active, unmuted SCC findings with medium, high, or critical severity. Event Threat Detection findings are included when they arrive through Security Command Center.

Setup options

Use guided setup when possible. Clarion creates the Pub/Sub topic, push subscription, OIDC signer, SCC notification config, SCC-to-Pub/Sub publish grant, and read-only role grants for triage. Use manual setup when your Google Cloud resources are managed outside Clarion. Manual setup still needs GCP runtime credentials in Clarion if agents should triage SCC alerts with GCP tools. Guided setup provisions the shared runtime identity with keyless Workload Identity Federation whenever Clarion’s central GCP bridge is configured. JSON service account keys remain available as a fallback for local development or environments where WIF cannot be used.

Manual setup

  1. Create or open a GCP Security Command Center monitor in Clarion.
  2. Select the SCC scope type: organization, folder, or project.
  3. Enter the SCC scope ID and location.
  4. Enter the Pub/Sub delivery project ID.
  5. Copy the monitor webhook URL.
  6. In Google Cloud, create a Pub/Sub topic for SCC findings.
  7. Create a Pub/Sub push subscription that targets the Clarion webhook URL.
  8. Enable OIDC authentication on the push subscription.
  9. Create an SCC notification config that sends active findings to the Pub/Sub topic.
  10. Grant the SCC notification config service account roles/pubsub.publisher on the Pub/Sub topic.
  11. Save these values on the monitor:
    • Pub/Sub subscription resource
    • OIDC service account email
    • OIDC client ID, if configured
    • SCC notification config resource name
The OIDC token audience must match the webhook URL shown by Clarion.

Permissions

The runtime service account needs read-only access to SCC findings for the selected scope. Guided setup grants the SCC findings viewer role. For manual setup, grant equivalent read-only SCC finding access at the organization, folder, or project you monitor. For agent triage on SCC alerts, the runtime service account also needs read-only access in the Pub/Sub delivery project for audit log and IAM lookups. Guided setup creates or reuses this runtime identity, prefers keyless WIF on Vercel, and grants roles/logging.viewer and roles/iam.securityReviewer on that project. For manual setup, first connect GCP runtime credentials in Clarion, then grant those same read-only roles. The Google account used for guided setup needs permission to create Pub/Sub resources in the delivery project and manage SCC notification configs at the selected SCC scope.