Using the SCC APIs to build a lightweight version of SCC product

Thank you for posting this question. You should be able to do more than just listing assets, findings and vulnerabilities. Based on the information listed i don't fully understand your use cases and requirements here but in general you should be able to gather most of the details out of SCC via the API and i will try to give a few options here on working with data from SCC.

You already shared the documentation which contains most of the supported ways to interact with our API. 

The most common way how i see our customers working with SCC is exporting Findings and data out of our platform and sending it to a SIEM, SOAR or other workflow or reporting type tools. The following guide can give some details on how to export Findings from SCC. When i say Findings this should include Findings from the detection methods of SCC including Findings generated by Event Threat Detection rules, VM and Container Threat Detection, Misconfigurations, etc

If you don't want to go down the direct API route you can also configure Exports via Pub/Sub Topics and your 3rd party tool can interact with those topics to fetch this information or export your data to BigQuery where you can create reports and further use cases with your SCC data.

You can find some more information on these methods here or on my topic on SCC and BigQuery.

One more finishing thought that with SCC Enterprise which was released a few months ago, now you also have the opportunity to send all your SCC data into a Chronicle SecOps (SIEM + SOAR) platform automatically and you have the full flexibility of SOAR playbooks to work with your data and create custom workflows as needed.

If you would like to dive into any of these topics in more depth or have a specific use case you would like to discuss further i'm happy to help, just let me know.

Thanks @andras11 for your detailed respond. My use case or rather my idea is to build a lightweight product similar to SCC with a separate GUI that I can use internally within my org. Again does this mean that the scope is limited to the project where the product is deployed meaning self contained. I can't build a GCP marketplace type SaaS product.

if it's mainly displaying Findings and a few other stats of SCC in different ways then the API or Pub/Sub route should be able to export the Findings you need from all the different categories into an internal tool (if it's mainly visualization you after then Looker+BigQuery combination is still in play here). With both API and Pub/Sub route you can choose to keep the data contained inside the project or you can also expose it to other tools and functions in other GCP projects or outside GCP depending on your design and requirements.

I don't have sufficient familiarity to be able to comment on the Marketplace side

@andras11 Thanks for your reply. Do the SCC events get published to Pub/Sub by default and to a predefined pub/sub topic or do i need to setup user defined pub/sub topic?

They are not automatically sent to a pub/sub topic. You will need to first create a pub/sub topic then within your SCC Configuration you need to create a 'Continuous Export' to define what Findings you want to send to a that pub/sub topic. You can use a filter on the continuous export settings to exclude/include Findings as needed. You can also create multiple exports to send different type of events using your filters to different destinations.

Thanks @andras11 appreciate your quick response very much.

@andras11  Are SCC premium events available out of the box (without enabling SCC premium)  and can these events be streamed to a BQ dataset? On a different note are there APIs that can fetch SCC premium related data for free? Also how are the SCC  APIs billed?

For Premium tier detections (VM and Container Threat Detection, Event Threat Detection, etc) to be available for streaming to BQ you would need Premium/Enterprise enabled and setup. If they are not enabled the relevant Findings will not be created. For pricing you can find some more information here but i don't have any more specific answer for this sorry

Can i enable SCC premium in Project A and call APIs from Project A to fetch SCC premium findings from a different project,  Project B? In Summary does cross project access work without enabling SCC premium in the target project @andras11 ?

SCC Premium Findings would only be available on Project B if SCC Premium is enabled on that project or if it'e enabled Org wide. There are some more info on the activation of different tiers here and some of the limitations on Project vs Org activation 

@andras11 From the documentation i see one time export which is what we need here (historical events  + current). However looking at the syntax for gcloud CLI command I don't see an option in the gcloud CLI to specify whether i want to do a continuous export or a one-time export.

the method with the gcloud scc findings list CLI command does not define an option for continuous export or one-time export because this only supports the one-time export method.

If you need continuous export, at the moment you only have the Pub/Sub option to go with

Interesting because from executing the gcloud CLI mentioned in this link it seems to be fetching new events only (streaming) as the heading mentioned not one time export

Yes, the command used here is for streaming logs from SCC to a BigQuery Dataset. You can stream SCC Findings to a BigQuery dataset with gcloud scc bqexports; you can stream SCC Findings to a SecOps SIEM/SOAR Instance natively and if you would like to stream SCC Findings to a 3rd Party destination then you can use the Pub/Sub option.

For Single Export you can use the gcloud scc findings list option as you mentioned above but this will be a one export per command execution option