Skip to content

Securitycenter.settings.update

GCP

Securitycenter.settings.update

service: GCP - Security Command Center
techniques:

Event

Updates the settings or configuration of Google Security Command Center for the organization or project.

Security Context

  • Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.

Log Source

Cloud Audit Logs

Sample Event

Adversarial. Draco modifies the organization’s SCC settings to exclude the fantasticlogs-prod project from SCC’s asset-discovery scope. Once excluded, SCC stops cataloging assets in that project — vulnerability findings, IAM anomalies, misconfigurations, and threat detections are no longer generated for production resources. Combined with the earlier SetMute event (which silenced individual findings), this turns off SCC’s eyes on production entirely. The setting change persists silently until manually reverted. Note: SCC org settings are organization-scoped, so this entry routes to the org-level logName — project-only Activity queries miss it.

{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "draco@fantasticlogs.cloud"
},
"requestMetadata": {
"callerIp": "203.0.113.66",
"callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.scc.settings.update invocation-id/90000000000000000000010000000100 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)",
"requestAttributes": {
"time": "2026-04-15T13:58:18.221987654Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "securitycenter.googleapis.com",
"methodName": "google.cloud.securitycenter.v1.SecurityCenter.UpdateOrganizationSettings",
"authorizationInfo": [
{
"resource": "organizations/555123456789/organizationSettings",
"permission": "securitycenter.organizationsettings.update",
"granted": true,
"resourceAttributes": {}
}
],
"resourceName": "organizations/555123456789/organizationSettings",
"request": {
"@type": "type.googleapis.com/google.cloud.securitycenter.v1.UpdateOrganizationSettingsRequest",
"organizationSettings": {
"name": "organizations/555123456789/organizationSettings",
"enableAssetDiscovery": true,
"assetDiscoveryConfig": {
"projectIds": [
"fantasticlogs-prod"
],
"inclusionMode": "EXCLUDE"
}
},
"updateMask": "assetDiscoveryConfig"
},
"response": {
"@type": "type.googleapis.com/google.cloud.securitycenter.v1.OrganizationSettings",
"name": "organizations/555123456789/organizationSettings",
"enableAssetDiscovery": true,
"assetDiscoveryConfig": {
"projectIds": [
"fantasticlogs-prod"
],
"inclusionMode": "EXCLUDE"
}
}
},
"insertId": "evt010000000100",
"resource": {
"type": "organization",
"labels": {
"organization_id": "555123456789"
}
},
"timestamp": "2026-04-15T13:58:18.123456789Z",
"severity": "NOTICE",
"logName": "organizations/555123456789/logs/cloudaudit.googleapis.com%2Factivity",
"receiveTimestamp": "2026-04-15T13:58:18.567890123Z"
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...