/
securitycenter_v1.folders.sources.findings.html
1976 lines (1919 loc) 路 202 KB
/
securitycenter_v1.folders.sources.findings.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<html><body>
<style>
body, h1, h2, h3, div, span, p, pre, a {
margin: 0;
padding: 0;
border: 0;
font-weight: inherit;
font-style: inherit;
font-size: 100%;
font-family: inherit;
vertical-align: baseline;
}
body {
font-size: 13px;
padding: 1em;
}
h1 {
font-size: 26px;
margin-bottom: 1em;
}
h2 {
font-size: 24px;
margin-bottom: 1em;
}
h3 {
font-size: 20px;
margin-bottom: 1em;
margin-top: 1em;
}
pre, code {
line-height: 1.5;
font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;
}
pre {
margin-top: 0.5em;
}
h1, h2, h3, p {
font-family: Arial, sans serif;
}
h1, h2, h3 {
border-bottom: solid #CCC 1px;
}
.toc_element {
margin-top: 0.5em;
}
.firstline {
margin-left: 2 em;
}
.method {
margin-top: 1em;
border: solid 1px #CCC;
padding: 1em;
background: #EEE;
}
.details {
font-weight: bold;
font-size: 14px;
}
</style>
<h1><a href="securitycenter_v1.html">Security Command Center API</a> . <a href="securitycenter_v1.folders.html">folders</a> . <a href="securitycenter_v1.folders.sources.html">sources</a> . <a href="securitycenter_v1.folders.sources.findings.html">findings</a></h1>
<h2>Instance Methods</h2>
<p class="toc_element">
<code><a href="securitycenter_v1.folders.sources.findings.externalSystems.html">externalSystems()</a></code>
</p>
<p class="firstline">Returns the externalSystems Resource.</p>
<p class="toc_element">
<code><a href="#close">close()</a></code></p>
<p class="firstline">Close httplib2 connections.</p>
<p class="toc_element">
<code><a href="#group">group(parent, body=None, x__xgafv=None)</a></code></p>
<p class="firstline">Filters an organization or source's findings and groups them by their specified properties. To group across all sources provide a `-` as the source id. Example: /v1/organizations/{organization_id}/sources/-/findings, /v1/folders/{folder_id}/sources/-/findings, /v1/projects/{project_id}/sources/-/findings</p>
<p class="toc_element">
<code><a href="#group_next">group_next()</a></code></p>
<p class="firstline">Retrieves the next page of results.</p>
<p class="toc_element">
<code><a href="#list">list(parent, compareDuration=None, fieldMask=None, filter=None, orderBy=None, pageSize=None, pageToken=None, readTime=None, x__xgafv=None)</a></code></p>
<p class="firstline">Lists an organization or source's findings. To list across all sources provide a `-` as the source id. Example: /v1/organizations/{organization_id}/sources/-/findings</p>
<p class="toc_element">
<code><a href="#list_next">list_next()</a></code></p>
<p class="firstline">Retrieves the next page of results.</p>
<p class="toc_element">
<code><a href="#patch">patch(name, body=None, updateMask=None, x__xgafv=None)</a></code></p>
<p class="firstline">Creates or updates a finding. The corresponding source must exist for a finding creation to succeed.</p>
<p class="toc_element">
<code><a href="#setMute">setMute(name, body=None, x__xgafv=None)</a></code></p>
<p class="firstline">Updates the mute state of a finding.</p>
<p class="toc_element">
<code><a href="#setState">setState(name, body=None, x__xgafv=None)</a></code></p>
<p class="firstline">Updates the state of a finding.</p>
<p class="toc_element">
<code><a href="#updateSecurityMarks">updateSecurityMarks(name, body=None, startTime=None, updateMask=None, x__xgafv=None)</a></code></p>
<p class="firstline">Updates security marks.</p>
<h3>Method Details</h3>
<div class="method">
<code class="details" id="close">close()</code>
<pre>Close httplib2 connections.</pre>
</div>
<div class="method">
<code class="details" id="group">group(parent, body=None, x__xgafv=None)</code>
<pre>Filters an organization or source's findings and groups them by their specified properties. To group across all sources provide a `-` as the source id. Example: /v1/organizations/{organization_id}/sources/-/findings, /v1/folders/{folder_id}/sources/-/findings, /v1/projects/{project_id}/sources/-/findings
Args:
parent: string, Required. Name of the source to groupBy. Its format is "organizations/[organization_id]/sources/[source_id]", folders/[folder_id]/sources/[source_id], or projects/[project_id]/sources/[source_id]. To groupBy across all sources provide a source_id of `-`. For example: organizations/{organization_id}/sources/-, folders/{folder_id}/sources/-, or projects/{project_id}/sources/- (required)
body: object, The request body.
The object takes the form of:
{ # Request message for grouping by findings.
"compareDuration": "A String", # When compare_duration is set, the GroupResult's "state_change" attribute is updated to indicate whether the finding had its state changed, the finding's state remained unchanged, or if the finding was added during the compare_duration period of time that precedes the read_time. This is the time between (read_time - compare_duration) and read_time. The state_change value is derived based on the presence and state of the finding at the two points in time. Intermediate state changes between the two times don't affect the result. For example, the results aren't affected if the finding is made inactive and then active again. Possible "state_change" values when compare_duration is specified: * "CHANGED": indicates that the finding was present and matched the given filter at the start of compare_duration, but changed its state at read_time. * "UNCHANGED": indicates that the finding was present and matched the given filter at the start of compare_duration and did not change state at read_time. * "ADDED": indicates that the finding did not match the given filter or was not present at the start of compare_duration, but was present at read_time. * "REMOVED": indicates that the finding was present and matched the filter at the start of compare_duration, but did not match the filter at read_time. If compare_duration is not specified, then the only possible state_change is "UNUSED", which will be the state_change set for all findings present at read_time. If this field is set then `state_change` must be a specified field in `group_by`.
"filter": "A String", # Expression that defines the filter to apply across findings. The expression is a list of one or more restrictions combined via logical operators `AND` and `OR`. Parentheses are supported, and `OR` has higher precedence than `AND`. Restrictions have the form ` ` and may have a `-` character in front of them to indicate negation. Examples include: * name * source_properties.a_property * security_marks.marks.marka The supported operators are: * `=` for all value types. * `>`, `<`, `>=`, `<=` for integer values. * `:`, meaning substring matching, for strings. The supported value types are: * string literals in quotes. * integer literals without quotes. * boolean literals `true` and `false` without quotes. The following field and operator combinations are supported: * name: `=` * parent: `=`, `:` * resource_name: `=`, `:` * state: `=`, `:` * category: `=`, `:` * external_uri: `=`, `:` * event_time: `=`, `>`, `<`, `>=`, `<=` Usage: This should be milliseconds since epoch or an RFC3339 string. Examples: `event_time = "2019-06-10T16:07:18-07:00"` `event_time = 1560208038000` * severity: `=`, `:` * workflow_state: `=`, `:` * security_marks.marks: `=`, `:` * source_properties: `=`, `:`, `>`, `<`, `>=`, `<=` For example, `source_properties.size = 100` is a valid filter string. Use a partial match on the empty string to filter based on a property existing: `source_properties.my_property : ""` Use a negated partial match on the empty string to filter based on a property not existing: `-source_properties.my_property : ""` * resource: * resource.name: `=`, `:` * resource.parent_name: `=`, `:` * resource.parent_display_name: `=`, `:` * resource.project_name: `=`, `:` * resource.project_display_name: `=`, `:` * resource.type: `=`, `:`
"groupBy": "A String", # Required. Expression that defines what assets fields to use for grouping (including `state_change`). The string value should follow SQL syntax: comma separated list of fields. For example: "parent,resource_name". The following fields are supported: * resource_name * category * state * parent * severity The following fields are supported when compare_duration is set: * state_change
"pageSize": 42, # The maximum number of results to return in a single response. Default is 10, minimum is 1, maximum is 1000.
"pageToken": "A String", # The value returned by the last `GroupFindingsResponse`; indicates that this is a continuation of a prior `GroupFindings` call, and that the system should return the next page of data.
"readTime": "A String", # Time used as a reference point when filtering findings. The filter is limited to findings existing at the supplied time and their values are those at that specific time. Absence of this field will default to the API's version of NOW.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for group by findings.
"groupByResults": [ # Group results. There exists an element for each existing unique combination of property/values. The element contains a count for the number of times those specific property/values appear.
{ # Result containing the properties and count of a groupBy request.
"count": "A String", # Total count of resources for the given properties.
"properties": { # Properties matching the groupBy fields in the request.
"a_key": "",
},
},
],
"nextPageToken": "A String", # Token to retrieve the next page of results, or empty if there are no more results.
"readTime": "A String", # Time used for executing the groupBy request.
"totalSize": 42, # The total number of results matching the query.
}</pre>
</div>
<div class="method">
<code class="details" id="group_next">group_next()</code>
<pre>Retrieves the next page of results.
Args:
previous_request: The request for the previous page. (required)
previous_response: The response from the request for the previous page. (required)
Returns:
A request object that you can call 'execute()' on to request the next
page. Returns None if there are no more items in the collection.
</pre>
</div>
<div class="method">
<code class="details" id="list">list(parent, compareDuration=None, fieldMask=None, filter=None, orderBy=None, pageSize=None, pageToken=None, readTime=None, x__xgafv=None)</code>
<pre>Lists an organization or source's findings. To list across all sources provide a `-` as the source id. Example: /v1/organizations/{organization_id}/sources/-/findings
Args:
parent: string, Required. Name of the source the findings belong to. Its format is "organizations/[organization_id]/sources/[source_id], folders/[folder_id]/sources/[source_id], or projects/[project_id]/sources/[source_id]". To list across all sources provide a source_id of `-`. For example: organizations/{organization_id}/sources/-, folders/{folder_id}/sources/- or projects/{projects_id}/sources/- (required)
compareDuration: string, When compare_duration is set, the ListFindingsResult's "state_change" attribute is updated to indicate whether the finding had its state changed, the finding's state remained unchanged, or if the finding was added in any state during the compare_duration period of time that precedes the read_time. This is the time between (read_time - compare_duration) and read_time. The state_change value is derived based on the presence and state of the finding at the two points in time. Intermediate state changes between the two times don't affect the result. For example, the results aren't affected if the finding is made inactive and then active again. Possible "state_change" values when compare_duration is specified: * "CHANGED": indicates that the finding was present and matched the given filter at the start of compare_duration, but changed its state at read_time. * "UNCHANGED": indicates that the finding was present and matched the given filter at the start of compare_duration and did not change state at read_time. * "ADDED": indicates that the finding did not match the given filter or was not present at the start of compare_duration, but was present at read_time. * "REMOVED": indicates that the finding was present and matched the filter at the start of compare_duration, but did not match the filter at read_time. If compare_duration is not specified, then the only possible state_change is "UNUSED", which will be the state_change set for all findings present at read_time.
fieldMask: string, A field mask to specify the Finding fields to be listed in the response. An empty field mask will list all fields.
filter: string, Expression that defines the filter to apply across findings. The expression is a list of one or more restrictions combined via logical operators `AND` and `OR`. Parentheses are supported, and `OR` has higher precedence than `AND`. Restrictions have the form ` ` and may have a `-` character in front of them to indicate negation. Examples include: * name * source_properties.a_property * security_marks.marks.marka The supported operators are: * `=` for all value types. * `>`, `<`, `>=`, `<=` for integer values. * `:`, meaning substring matching, for strings. The supported value types are: * string literals in quotes. * integer literals without quotes. * boolean literals `true` and `false` without quotes. The following field and operator combinations are supported: * name: `=` * parent: `=`, `:` * resource_name: `=`, `:` * state: `=`, `:` * category: `=`, `:` * external_uri: `=`, `:` * event_time: `=`, `>`, `<`, `>=`, `<=` Usage: This should be milliseconds since epoch or an RFC3339 string. Examples: `event_time = "2019-06-10T16:07:18-07:00"` `event_time = 1560208038000` * severity: `=`, `:` * workflow_state: `=`, `:` * security_marks.marks: `=`, `:` * source_properties: `=`, `:`, `>`, `<`, `>=`, `<=` For example, `source_properties.size = 100` is a valid filter string. Use a partial match on the empty string to filter based on a property existing: `source_properties.my_property : ""` Use a negated partial match on the empty string to filter based on a property not existing: `-source_properties.my_property : ""` * resource: * resource.name: `=`, `:` * resource.parent_name: `=`, `:` * resource.parent_display_name: `=`, `:` * resource.project_name: `=`, `:` * resource.project_display_name: `=`, `:` * resource.type: `=`, `:` * resource.folders.resource_folder: `=`, `:` * resource.display_name: `=`, `:`
orderBy: string, Expression that defines what fields and order to use for sorting. The string value should follow SQL syntax: comma separated list of fields. For example: "name,resource_properties.a_property". The default sorting order is ascending. To specify descending order for a field, a suffix " desc" should be appended to the field name. For example: "name desc,source_properties.a_property". Redundant space characters in the syntax are insignificant. "name desc,source_properties.a_property" and " name desc , source_properties.a_property " are equivalent. The following fields are supported: name parent state category resource_name event_time source_properties security_marks.marks
pageSize: integer, The maximum number of results to return in a single response. Default is 10, minimum is 1, maximum is 1000.
pageToken: string, The value returned by the last `ListFindingsResponse`; indicates that this is a continuation of a prior `ListFindings` call, and that the system should return the next page of data.
readTime: string, Time used as a reference point when filtering findings. The filter is limited to findings existing at the supplied time and their values are those at that specific time. Absence of this field will default to the API's version of NOW.
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for listing findings.
"listFindingsResults": [ # Findings matching the list request.
{ # Result containing the Finding and its StateChange.
"finding": { # Security Command Center finding. A finding is a record of assessment data like security, risk, health, or privacy, that is ingested into Security Command Center for presentation, notification, analysis, policy testing, and enforcement. For example, a cross-site scripting (XSS) vulnerability in an App Engine application is a finding. # Finding matching the search request.
"access": { # Represents an access event. # Access details associated to the Finding, such as more information on the caller, which method was accessed, from where, etc.
"callerIp": "A String", # Caller's IP address, such as "1.1.1.1".
"callerIpGeo": { # Represents a geographical location for a given access. # The caller IP's geolocation, which identifies where the call came from.
"regionCode": "A String", # A CLDR.
},
"methodName": "A String", # The method that the service account called, e.g. "SetIamPolicy".
"principalEmail": "A String", # Associated email, such as "foo@google.com". The email address of the authenticated user (or service account on behalf of third party principal) making the request. For third party identity callers, the `principal_subject` field is populated instead of this field. For privacy reasons, the principal email address is sometimes redacted. For more information, see [Caller identities in audit logs](https://cloud.google.com/logging/docs/audit#user-id).
"principalSubject": "A String", # A string representing the principal_subject associated with the identity. As compared to `principal_email`, supports principals that aren't associated with email addresses, such as third party principals. For most identities, the format will be `principal://iam.googleapis.com/{identity pool name}/subjects/{subject}` except for some GKE identities (GKE_WORKLOAD, FREEFORM, GKE_HUB_WORKLOAD) that are still in the legacy format `serviceAccount:{identity pool name}[{subject}]`
"serviceAccountDelegationInfo": [ # Identity delegation history of an authenticated service account that makes the request. It contains information on the real authorities that try to access GCP resources by delegating on a service account. When multiple authorities are present, they are guaranteed to be sorted based on the original ordering of the identity delegation events.
{ # Identity delegation history of an authenticated service account.
"principalEmail": "A String", # The email address of a Google account.
"principalSubject": "A String", # A string representing the principal_subject associated with the identity. As compared to `principal_email`, supports principals that aren't associated with email addresses, such as third party principals. For most identities, the format will be `principal://iam.googleapis.com/{identity pool name}/subjects/{subject}` except for some GKE identities (GKE_WORKLOAD, FREEFORM, GKE_HUB_WORKLOAD) that are still in the legacy format `serviceAccount:{identity pool name}[{subject}]`
},
],
"serviceAccountKeyName": "A String", # The name of the service account key used to create or exchange credentials for authenticating the service account making the request. This is a scheme-less URI full resource name. For example: "//iam.googleapis.com/projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}"
"serviceName": "A String", # This is the API service that the service account made a call to, e.g. "iam.googleapis.com"
"userAgentFamily": "A String", # What kind of user agent is associated, e.g. operating system shells, embedded or stand-alone applications, etc.
"userName": "A String", # A string representing a username. This is likely not an IAM principal. For instance, this may be the system user name if the finding is VM-related, or this may be some type of application login user name, depending on the type of finding.
},
"canonicalName": "A String", # The canonical name of the finding. It's either "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}", "folders/{folder_id}/sources/{source_id}/findings/{finding_id}" or "projects/{project_number}/sources/{source_id}/findings/{finding_id}", depending on the closest CRM ancestor of the resource associated with the finding.
"category": "A String", # The additional taxonomy group within findings from a given source. This field is immutable after creation time. Example: "XSS_FLASH_INJECTION"
"compliances": [ # Contains compliance information for security standards associated to the finding.
{ # Contains compliance information about a security standard indicating unmet recommendations.
"ids": [ # Policies within the standard/benchmark e.g. A.12.4.1
"A String",
],
"standard": "A String", # Refers to industry wide standards or benchmarks e.g. "cis", "pci", "owasp", etc.
"version": "A String", # Version of the standard/benchmark e.g. 1.1
},
],
"connections": [ # Contains information about the IP connection associated with the finding.
{ # Contains information about the IP connection associated with the finding.
"destinationIp": "A String", # Destination IP address. Not present for sockets that are listening and not connected.
"destinationPort": 42, # Destination port. Not present for sockets that are listening and not connected.
"protocol": "A String", # IANA Internet Protocol Number such as TCP(6) and UDP(17).
"sourceIp": "A String", # Source IP address.
"sourcePort": 42, # Source port.
},
],
"contacts": { # Output only. Map containing the points of contact for the given finding. The key represents the type of contact, while the value contains a list of all the contacts that pertain. Please refer to: https://cloud.google.com/resource-manager/docs/managing-notification-contacts#notification-categories { "security": { "contacts": [ { "email": "person1@company.com" }, { "email": "person2@company.com" } ] } }
"a_key": { # The details pertaining to specific contacts
"contacts": [ # A list of contacts
{ # Representa a single contact's email address
"email": "A String", # An email address e.g. "person123@company.com"
},
],
},
},
"containers": [ # Containers associated with the finding. containers provides information for both Kubernetes and non-Kubernetes containers.
{ # Container associated with the finding.
"imageId": "A String", # Optional container image id, when provided by the container runtime. Uniquely identifies the container image launched using a container image digest.
"labels": [ # Container labels, as provided by the container runtime.
{ # Label represents a generic name=value label. Label has separate name and value fields to support filtering with contains().
"name": "A String", # Label name.
"value": "A String", # Label value.
},
],
"name": "A String", # Container name.
"uri": "A String", # Container image URI provided when configuring a pod/container. May identify a container image version using mutable tags.
},
],
"createTime": "A String", # The time at which the finding was created in Security Command Center.
"database": { # Represents database access information, such as queries. A database may be a sub-resource of an instance (as in the case of CloudSQL instances or Cloud Spanner instances), or the database instance itself. Some database resources may not have the full resource name populated because these resource types are not yet supported by Cloud Asset Inventory (e.g. CloudSQL databases). In these cases only the display name will be provided. # Database associated with the finding.
"displayName": "A String", # The human readable name of the database the user connected to.
"grantees": [ # The target usernames/roles/groups of a SQL privilege grant (not an IAM policy change).
"A String",
],
"name": "A String", # The full resource name of the database the user connected to, if it is supported by CAI. (https://google.aip.dev/122#full-resource-names)
"query": "A String", # The SQL statement associated with the relevant access.
"userName": "A String", # The username used to connect to the DB. This may not necessarily be an IAM principal, and has no required format.
},
"description": "A String", # Contains more detail about the finding.
"eventTime": "A String", # The time the finding was first detected. If an existing finding is updated, then this is the time the update occurred. For example, if the finding represents an open firewall, this property captures the time the detector believes the firewall became open. The accuracy is determined by the detector. If the finding is later resolved, then this time reflects when the finding was resolved. This must not be set to a value greater than the current timestamp.
"exfiltration": { # Exfiltration represents a data exfiltration attempt of one or more sources to one or more targets. Sources represent the source of data that is exfiltrated, and Targets represents the destination the data was copied to. # Represents exfiltration associated with the Finding.
"sources": [ # If there are multiple sources, then the data is considered "joined" between them. For instance, BigQuery can join multiple tables, and each table would be considered a source.
{ # Resource that has been exfiltrated or exfiltrated_to.
"components": [ # Subcomponents of the asset that is exfiltrated - these could be URIs used during exfiltration, table names, databases, filenames, etc. For example, multiple tables may be exfiltrated from the same CloudSQL instance, or multiple files from the same Cloud Storage bucket.
"A String",
],
"name": "A String", # Resource's URI (https://google.aip.dev/122#full-resource-names)
},
],
"targets": [ # If there are multiple targets, each target would get a complete copy of the "joined" source data.
{ # Resource that has been exfiltrated or exfiltrated_to.
"components": [ # Subcomponents of the asset that is exfiltrated - these could be URIs used during exfiltration, table names, databases, filenames, etc. For example, multiple tables may be exfiltrated from the same CloudSQL instance, or multiple files from the same Cloud Storage bucket.
"A String",
],
"name": "A String", # Resource's URI (https://google.aip.dev/122#full-resource-names)
},
],
},
"externalSystems": { # Output only. Third party SIEM/SOAR fields within SCC, contains external system information and external system finding fields.
"a_key": { # Representation of third party SIEM/SOAR fields within SCC.
"assignees": [ # References primary/secondary etc assignees in the external system.
"A String",
],
"externalSystemUpdateTime": "A String", # The most recent time when the corresponding finding's ticket/tracker was updated in the external system.
"externalUid": "A String", # Identifier that's used to track the given finding in the external system.
"name": "A String", # External System Name e.g. jira, demisto, etc. e.g.: `organizations/1234/sources/5678/findings/123456/externalSystems/jira` `folders/1234/sources/5678/findings/123456/externalSystems/jira` `projects/1234/sources/5678/findings/123456/externalSystems/jira`
"status": "A String", # Most recent status of the corresponding finding's ticket/tracker in the external system.
},
},
"externalUri": "A String", # The URI that, if available, points to a web page outside of Security Command Center where additional information about the finding can be found. This field is guaranteed to be either empty or a well formed URL.
"files": [ # File associated with the finding.
{ # File information about the related binary/library used by an executable, or the script used by a script interpreter
"contents": "A String", # Prefix of the file contents as a JSON encoded string. (Currently only populated for Malicious Script Executed findings.)
"hashedSize": "A String", # The length in bytes of the file prefix that was hashed. If hashed_size == size, any hashes reported represent the entire file.
"partiallyHashed": True or False, # True when the hash covers only a prefix of the file.
"path": "A String", # Absolute path of the file as a JSON encoded string.
"sha256": "A String", # SHA256 hash of the first hashed_size bytes of the file encoded as a hex string. If hashed_size == size, sha256 represents the SHA256 hash of the entire file.
"size": "A String", # Size of the file in bytes.
},
],
"findingClass": "A String", # The class of the finding.
"iamBindings": [ # Represents IAM bindings associated with the Finding.
{ # Represents a particular IAM binding, which captures a member's role addition, removal, or state.
"action": "A String", # The action that was performed on a Binding.
"member": "A String", # A single identity requesting access for a Cloud Platform resource, e.g. "foo@google.com".
"role": "A String", # Role that is assigned to "members". For example, "roles/viewer", "roles/editor", or "roles/owner".
},
],
"indicator": { # Represents what's commonly known as an Indicator of compromise (IoC) in computer forensics. This is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Reference: https://en.wikipedia.org/wiki/Indicator_of_compromise # Represents what's commonly known as an Indicator of compromise (IoC) in computer forensics. This is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Reference: https://en.wikipedia.org/wiki/Indicator_of_compromise
"domains": [ # List of domains associated to the Finding.
"A String",
],
"ipAddresses": [ # List of ip addresses associated to the Finding.
"A String",
],
"signatures": [ # The list of matched signatures indicating that the given process is present in the environment.
{ # Indicates what signature matched this process.
"memoryHashSignature": { # A signature corresponding to memory page hashes. # Signature indicating that a binary family was matched.
"binaryFamily": "A String", # The binary family.
"detections": [ # The list of memory hash detections contributing to the binary family match.
{ # Memory hash detection contributing to the binary family match.
"binary": "A String", # The name of the binary associated with the memory hash signature detection.
"percentPagesMatched": 3.14, # The percentage of memory page hashes in the signature that were matched.
},
],
},
"yaraRuleSignature": { # A signature corresponding to a YARA rule. # Signature indicating that a YARA rule was matched.
"yaraRule": "A String", # The name of the YARA rule.
},
},
],
"uris": [ # The list of URIs associated to the Findings.
"A String",
],
},
"kubernetes": { # Kubernetes related attributes. # Kubernetes resources associated with the finding.
"accessReviews": [ # Provides information on any Kubernetes access reviews (i.e. privilege checks) relevant to the finding.
{ # Conveys information about a Kubernetes access review (e.g. kubectl auth can-i ...) that was involved in a finding.
"group": "A String", # Group is the API Group of the Resource. "*" means all.
"name": "A String", # Name is the name of the resource being requested. Empty means all.
"ns": "A String", # Namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces. Both are represented by "" (empty).
"resource": "A String", # Resource is the optional resource type requested. "*" means all.
"subresource": "A String", # Subresource is the optional subresource type.
"verb": "A String", # Verb is a Kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy. "*" means all.
"version": "A String", # Version is the API Version of the Resource. "*" means all.
},
],
"bindings": [ # Provides Kubernetes role binding information for findings that involve RoleBindings or ClusterRoleBindings.
{ # Represents a Kubernetes RoleBinding or ClusterRoleBinding.
"name": "A String", # Name for binding.
"ns": "A String", # Namespace for binding.
"role": { # Kubernetes Role or ClusterRole. # The Role or ClusterRole referenced by the binding.
"kind": "A String", # Role type.
"name": "A String", # Role name.
"ns": "A String", # Role namespace.
},
"subjects": [ # Represents the subjects(s) bound to the role. Not always available for PATCH requests.
{ # Represents a Kubernetes Subject.
"kind": "A String", # Authentication type for subject.
"name": "A String", # Name for subject.
"ns": "A String", # Namespace for subject.
},
],
},
],
"nodePools": [ # GKE Node Pools associated with the finding. This field will contain NodePool information for each Node, when it is available.
{ # Provides GKE Node Pool information.
"name": "A String", # Kubernetes Node pool name.
"nodes": [ # Nodes associated with the finding.
{ # Kubernetes Nodes associated with the finding.
"name": "A String", # Full Resource name of the Compute Engine VM running the cluster node.
},
],
},
],
"nodes": [ # Provides Kubernetes Node information.
{ # Kubernetes Nodes associated with the finding.
"name": "A String", # Full Resource name of the Compute Engine VM running the cluster node.
},
],
"pods": [ # Kubernetes Pods associated with the finding. This field will contain Pod records for each container that is owned by a Pod.
{ # Kubernetes Pod.
"containers": [ # Pod containers associated with this finding, if any.
{ # Container associated with the finding.
"imageId": "A String", # Optional container image id, when provided by the container runtime. Uniquely identifies the container image launched using a container image digest.
"labels": [ # Container labels, as provided by the container runtime.
{ # Label represents a generic name=value label. Label has separate name and value fields to support filtering with contains().
"name": "A String", # Label name.
"value": "A String", # Label value.
},
],
"name": "A String", # Container name.
"uri": "A String", # Container image URI provided when configuring a pod/container. May identify a container image version using mutable tags.
},
],
"labels": [ # Pod labels. For Kubernetes containers, these are applied to the container.
{ # Label represents a generic name=value label. Label has separate name and value fields to support filtering with contains().
"name": "A String", # Label name.
"value": "A String", # Label value.
},
],
"name": "A String", # Kubernetes Pod name.
"ns": "A String", # Kubernetes Pod namespace.
},
],
"roles": [ # Provides Kubernetes role information for findings that involve Roles or ClusterRoles.
{ # Kubernetes Role or ClusterRole.
"kind": "A String", # Role type.
"name": "A String", # Role name.
"ns": "A String", # Role namespace.
},
],
},
"mitreAttack": { # MITRE ATT&CK tactics and techniques related to this finding. See: https://attack.mitre.org # MITRE ATT&CK tactics and techniques related to this finding. See: https://attack.mitre.org
"additionalTactics": [ # Additional MITRE ATT&CK tactics related to this finding, if any.
"A String",
],
"additionalTechniques": [ # Additional MITRE ATT&CK techniques related to this finding, if any, along with any of their respective parent techniques.
"A String",
],
"primaryTactic": "A String", # The MITRE ATT&CK tactic most closely represented by this finding, if any.
"primaryTechniques": [ # The MITRE ATT&CK technique most closely represented by this finding, if any. primary_techniques is a repeated field because there are multiple levels of MITRE ATT&CK techniques. If the technique most closely represented by this finding is a sub-technique (e.g. `SCANNING_IP_BLOCKS`), both the sub-technique and its parent technique(s) will be listed (e.g. `SCANNING_IP_BLOCKS`, `ACTIVE_SCANNING`).
"A String",
],
"version": "A String", # The MITRE ATT&CK version referenced by the above fields. E.g. "8".
},
"mute": "A String", # Indicates the mute state of a finding (either muted, unmuted or undefined). Unlike other attributes of a finding, a finding provider shouldn't set the value of mute.
"muteInitiator": "A String", # First known as mute_annotation. Records additional information about the mute operation e.g. mute config that muted the finding, user who muted the finding, etc. Unlike other attributes of a finding, a finding provider shouldn't set the value of mute.
"muteUpdateTime": "A String", # Output only. The most recent time this finding was muted or unmuted.
"name": "A String", # The relative resource name of this finding. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name Example: "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}"
"nextSteps": "A String", # Next steps associate to the finding.
"parent": "A String", # The relative resource name of the source the finding belongs to. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name This field is immutable after creation time. For example: "organizations/{organization_id}/sources/{source_id}"
"parentDisplayName": "A String", # Output only. The human readable display name of the finding source such as "Event Threat Detection" or "Security Health Analytics".
"processes": [ # Represents operating system processes associated with the Finding.
{ # Represents an operating system process.
"args": [ # Process arguments as JSON encoded strings.
"A String",
],
"argumentsTruncated": True or False, # True if `args` is incomplete.
"binary": { # File information about the related binary/library used by an executable, or the script used by a script interpreter # File information for the process executable.
"contents": "A String", # Prefix of the file contents as a JSON encoded string. (Currently only populated for Malicious Script Executed findings.)
"hashedSize": "A String", # The length in bytes of the file prefix that was hashed. If hashed_size == size, any hashes reported represent the entire file.
"partiallyHashed": True or False, # True when the hash covers only a prefix of the file.
"path": "A String", # Absolute path of the file as a JSON encoded string.
"sha256": "A String", # SHA256 hash of the first hashed_size bytes of the file encoded as a hex string. If hashed_size == size, sha256 represents the SHA256 hash of the entire file.
"size": "A String", # Size of the file in bytes.
},
"envVariables": [ # Process environment variables.
{ # EnvironmentVariable is a name-value pair to store environment variables for Process.
"name": "A String", # Environment variable name as a JSON encoded string.
"val": "A String", # Environment variable value as a JSON encoded string.
},
],
"envVariablesTruncated": True or False, # True if `env_variables` is incomplete.
"libraries": [ # File information for libraries loaded by the process.
{ # File information about the related binary/library used by an executable, or the script used by a script interpreter
"contents": "A String", # Prefix of the file contents as a JSON encoded string. (Currently only populated for Malicious Script Executed findings.)
"hashedSize": "A String", # The length in bytes of the file prefix that was hashed. If hashed_size == size, any hashes reported represent the entire file.
"partiallyHashed": True or False, # True when the hash covers only a prefix of the file.
"path": "A String", # Absolute path of the file as a JSON encoded string.
"sha256": "A String", # SHA256 hash of the first hashed_size bytes of the file encoded as a hex string. If hashed_size == size, sha256 represents the SHA256 hash of the entire file.
"size": "A String", # Size of the file in bytes.
},
],
"name": "A String", # The process name visible in utilities like `top` and `ps`; it can be accessed via `/proc/[pid]/comm` and changed with `prctl(PR_SET_NAME)`.
"parentPid": "A String", # The parent process id.
"pid": "A String", # The process id.
"script": { # File information about the related binary/library used by an executable, or the script used by a script interpreter # When the process represents the invocation of a script, `binary` provides information about the interpreter while `script` provides information about the script file provided to the interpreter.
"contents": "A String", # Prefix of the file contents as a JSON encoded string. (Currently only populated for Malicious Script Executed findings.)
"hashedSize": "A String", # The length in bytes of the file prefix that was hashed. If hashed_size == size, any hashes reported represent the entire file.
"partiallyHashed": True or False, # True when the hash covers only a prefix of the file.
"path": "A String", # Absolute path of the file as a JSON encoded string.
"sha256": "A String", # SHA256 hash of the first hashed_size bytes of the file encoded as a hex string. If hashed_size == size, sha256 represents the SHA256 hash of the entire file.
"size": "A String", # Size of the file in bytes.
},
},
],
"resourceName": "A String", # For findings on Google Cloud resources, the full resource name of the Google Cloud resource this finding is for. See: https://cloud.google.com/apis/design/resource_names#full_resource_name When the finding is for a non-Google Cloud resource, the resourceName can be a customer or partner defined string. This field is immutable after creation time.
"securityMarks": { # User specified security marks that are attached to the parent Security Command Center resource. Security marks are scoped within a Security Command Center organization -- they can be modified and viewed by all users who have proper permissions on the organization. # Output only. User specified security marks. These marks are entirely managed by the user and come from the SecurityMarks resource that belongs to the finding.
"canonicalName": "A String", # The canonical name of the marks. Examples: "organizations/{organization_id}/assets/{asset_id}/securityMarks" "folders/{folder_id}/assets/{asset_id}/securityMarks" "projects/{project_number}/assets/{asset_id}/securityMarks" "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}/securityMarks" "folders/{folder_id}/sources/{source_id}/findings/{finding_id}/securityMarks" "projects/{project_number}/sources/{source_id}/findings/{finding_id}/securityMarks"
"marks": { # Mutable user specified security marks belonging to the parent resource. Constraints are as follows: * Keys and values are treated as case insensitive * Keys must be between 1 - 256 characters (inclusive) * Keys must be letters, numbers, underscores, or dashes * Values have leading and trailing whitespace trimmed, remaining characters must be between 1 - 4096 characters (inclusive)
"a_key": "A String",
},
"name": "A String", # The relative resource name of the SecurityMarks. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name Examples: "organizations/{organization_id}/assets/{asset_id}/securityMarks" "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}/securityMarks".
},
"severity": "A String", # The severity of the finding. This field is managed by the source that writes the finding.
"sourceProperties": { # Source specific properties. These properties are managed by the source that writes the finding. The key names in the source_properties map must be between 1 and 255 characters, and must start with a letter and contain alphanumeric characters or underscores only.
"a_key": "",
},
"state": "A String", # The state of the finding.
"vulnerability": { # Refers to common vulnerability fields e.g. cve, cvss, cwe etc. # Represents vulnerability specific fields like cve, cvss scores etc. CVE stands for Common Vulnerabilities and Exposures (https://cve.mitre.org/about/)
"cve": { # CVE stands for Common Vulnerabilities and Exposures. More information: https://cve.mitre.org # CVE stands for Common Vulnerabilities and Exposures (https://cve.mitre.org/about/)
"cvssv3": { # Common Vulnerability Scoring System version 3. # Describe Common Vulnerability Scoring System specified at https://www.first.org/cvss/v3.1/specification-document
"attackComplexity": "A String", # This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.
"attackVector": "A String", # Base Metrics Represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments. This metric reflects the context by which vulnerability exploitation is possible.
"availabilityImpact": "A String", # This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.
"baseScore": 3.14, # The base score is a function of the base metric scores.
"confidentialityImpact": "A String", # This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.
"integrityImpact": "A String", # This metric measures the impact to integrity of a successfully exploited vulnerability.
"privilegesRequired": "A String", # This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.
"scope": "A String", # The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope.
"userInteraction": "A String", # This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component.
},
"id": "A String", # The unique identifier for the vulnerability. e.g. CVE-2021-34527
"references": [ # Additional information about the CVE. e.g. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527
{ # Additional Links
"source": "A String", # Source of the reference e.g. NVD
"uri": "A String", # Uri for the mentioned source e.g. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527.
},
],
"upstreamFixAvailable": True or False, # Whether upstream fix is available for the CVE.
},
},
},
"resource": { # Information related to the Google Cloud resource that is associated with this finding. # Output only. Resource that is associated with this finding.
"displayName": "A String", # The human readable name of the resource.
"folders": [ # Contains a Folder message for each folder in the assets ancestry. The first folder is the deepest nested folder, and the last folder is the folder directly under the Organization.
{ # Message that contains the resource name and display name of a folder resource.
"resourceFolder": "A String", # Full resource name of this folder. See: https://cloud.google.com/apis/design/resource_names#full_resource_name
"resourceFolderDisplayName": "A String", # The user defined display name for this folder.
},
],
"name": "A String", # The full resource name of the resource. See: https://cloud.google.com/apis/design/resource_names#full_resource_name
"parentDisplayName": "A String", # The human readable name of resource's parent.
"parentName": "A String", # The full resource name of resource's parent.
"projectDisplayName": "A String", # The project ID that the resource belongs to.
"projectName": "A String", # The full resource name of project that the resource belongs to.
"type": "A String", # The full resource type of the resource.
},
"stateChange": "A String", # State change of the finding between the points in time.
},
],
"nextPageToken": "A String", # Token to retrieve the next page of results, or empty if there are no more results.
"readTime": "A String", # Time used for executing the list request.
"totalSize": 42, # The total number of findings matching the query.
}</pre>
</div>
<div class="method">
<code class="details" id="list_next">list_next()</code>
<pre>Retrieves the next page of results.
Args:
previous_request: The request for the previous page. (required)
previous_response: The response from the request for the previous page. (required)
Returns:
A request object that you can call 'execute()' on to request the next
page. Returns None if there are no more items in the collection.
</pre>
</div>
<div class="method">
<code class="details" id="patch">patch(name, body=None, updateMask=None, x__xgafv=None)</code>
<pre>Creates or updates a finding. The corresponding source must exist for a finding creation to succeed.
Args:
name: string, The relative resource name of this finding. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name Example: "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}" (required)
body: object, The request body.
The object takes the form of:
{ # Security Command Center finding. A finding is a record of assessment data like security, risk, health, or privacy, that is ingested into Security Command Center for presentation, notification, analysis, policy testing, and enforcement. For example, a cross-site scripting (XSS) vulnerability in an App Engine application is a finding.
"access": { # Represents an access event. # Access details associated to the Finding, such as more information on the caller, which method was accessed, from where, etc.
"callerIp": "A String", # Caller's IP address, such as "1.1.1.1".
"callerIpGeo": { # Represents a geographical location for a given access. # The caller IP's geolocation, which identifies where the call came from.
"regionCode": "A String", # A CLDR.
},
"methodName": "A String", # The method that the service account called, e.g. "SetIamPolicy".
"principalEmail": "A String", # Associated email, such as "foo@google.com". The email address of the authenticated user (or service account on behalf of third party principal) making the request. For third party identity callers, the `principal_subject` field is populated instead of this field. For privacy reasons, the principal email address is sometimes redacted. For more information, see [Caller identities in audit logs](https://cloud.google.com/logging/docs/audit#user-id).
"principalSubject": "A String", # A string representing the principal_subject associated with the identity. As compared to `principal_email`, supports principals that aren't associated with email addresses, such as third party principals. For most identities, the format will be `principal://iam.googleapis.com/{identity pool name}/subjects/{subject}` except for some GKE identities (GKE_WORKLOAD, FREEFORM, GKE_HUB_WORKLOAD) that are still in the legacy format `serviceAccount:{identity pool name}[{subject}]`
"serviceAccountDelegationInfo": [ # Identity delegation history of an authenticated service account that makes the request. It contains information on the real authorities that try to access GCP resources by delegating on a service account. When multiple authorities are present, they are guaranteed to be sorted based on the original ordering of the identity delegation events.
{ # Identity delegation history of an authenticated service account.
"principalEmail": "A String", # The email address of a Google account.
"principalSubject": "A String", # A string representing the principal_subject associated with the identity. As compared to `principal_email`, supports principals that aren't associated with email addresses, such as third party principals. For most identities, the format will be `principal://iam.googleapis.com/{identity pool name}/subjects/{subject}` except for some GKE identities (GKE_WORKLOAD, FREEFORM, GKE_HUB_WORKLOAD) that are still in the legacy format `serviceAccount:{identity pool name}[{subject}]`
},
],
"serviceAccountKeyName": "A String", # The name of the service account key used to create or exchange credentials for authenticating the service account making the request. This is a scheme-less URI full resource name. For example: "//iam.googleapis.com/projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}"
"serviceName": "A String", # This is the API service that the service account made a call to, e.g. "iam.googleapis.com"
"userAgentFamily": "A String", # What kind of user agent is associated, e.g. operating system shells, embedded or stand-alone applications, etc.
"userName": "A String", # A string representing a username. This is likely not an IAM principal. For instance, this may be the system user name if the finding is VM-related, or this may be some type of application login user name, depending on the type of finding.
},
"canonicalName": "A String", # The canonical name of the finding. It's either "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}", "folders/{folder_id}/sources/{source_id}/findings/{finding_id}" or "projects/{project_number}/sources/{source_id}/findings/{finding_id}", depending on the closest CRM ancestor of the resource associated with the finding.
"category": "A String", # The additional taxonomy group within findings from a given source. This field is immutable after creation time. Example: "XSS_FLASH_INJECTION"
"compliances": [ # Contains compliance information for security standards associated to the finding.
{ # Contains compliance information about a security standard indicating unmet recommendations.
"ids": [ # Policies within the standard/benchmark e.g. A.12.4.1
"A String",
],
"standard": "A String", # Refers to industry wide standards or benchmarks e.g. "cis", "pci", "owasp", etc.
"version": "A String", # Version of the standard/benchmark e.g. 1.1
},
],
"connections": [ # Contains information about the IP connection associated with the finding.
{ # Contains information about the IP connection associated with the finding.
"destinationIp": "A String", # Destination IP address. Not present for sockets that are listening and not connected.
"destinationPort": 42, # Destination port. Not present for sockets that are listening and not connected.
"protocol": "A String", # IANA Internet Protocol Number such as TCP(6) and UDP(17).
"sourceIp": "A String", # Source IP address.
"sourcePort": 42, # Source port.
},
],
"contacts": { # Output only. Map containing the points of contact for the given finding. The key represents the type of contact, while the value contains a list of all the contacts that pertain. Please refer to: https://cloud.google.com/resource-manager/docs/managing-notification-contacts#notification-categories { "security": { "contacts": [ { "email": "person1@company.com" }, { "email": "person2@company.com" } ] } }
"a_key": { # The details pertaining to specific contacts
"contacts": [ # A list of contacts
{ # Representa a single contact's email address
"email": "A String", # An email address e.g. "person123@company.com"
},
],
},
},
"containers": [ # Containers associated with the finding. containers provides information for both Kubernetes and non-Kubernetes containers.
{ # Container associated with the finding.
"imageId": "A String", # Optional container image id, when provided by the container runtime. Uniquely identifies the container image launched using a container image digest.
"labels": [ # Container labels, as provided by the container runtime.
{ # Label represents a generic name=value label. Label has separate name and value fields to support filtering with contains().
"name": "A String", # Label name.
"value": "A String", # Label value.
},
],
"name": "A String", # Container name.
"uri": "A String", # Container image URI provided when configuring a pod/container. May identify a container image version using mutable tags.
},
],
"createTime": "A String", # The time at which the finding was created in Security Command Center.
"database": { # Represents database access information, such as queries. A database may be a sub-resource of an instance (as in the case of CloudSQL instances or Cloud Spanner instances), or the database instance itself. Some database resources may not have the full resource name populated because these resource types are not yet supported by Cloud Asset Inventory (e.g. CloudSQL databases). In these cases only the display name will be provided. # Database associated with the finding.
"displayName": "A String", # The human readable name of the database the user connected to.
"grantees": [ # The target usernames/roles/groups of a SQL privilege grant (not an IAM policy change).
"A String",
],
"name": "A String", # The full resource name of the database the user connected to, if it is supported by CAI. (https://google.aip.dev/122#full-resource-names)
"query": "A String", # The SQL statement associated with the relevant access.
"userName": "A String", # The username used to connect to the DB. This may not necessarily be an IAM principal, and has no required format.
},
"description": "A String", # Contains more detail about the finding.
"eventTime": "A String", # The time the finding was first detected. If an existing finding is updated, then this is the time the update occurred. For example, if the finding represents an open firewall, this property captures the time the detector believes the firewall became open. The accuracy is determined by the detector. If the finding is later resolved, then this time reflects when the finding was resolved. This must not be set to a value greater than the current timestamp.
"exfiltration": { # Exfiltration represents a data exfiltration attempt of one or more sources to one or more targets. Sources represent the source of data that is exfiltrated, and Targets represents the destination the data was copied to. # Represents exfiltration associated with the Finding.
"sources": [ # If there are multiple sources, then the data is considered "joined" between them. For instance, BigQuery can join multiple tables, and each table would be considered a source.
{ # Resource that has been exfiltrated or exfiltrated_to.
"components": [ # Subcomponents of the asset that is exfiltrated - these could be URIs used during exfiltration, table names, databases, filenames, etc. For example, multiple tables may be exfiltrated from the same CloudSQL instance, or multiple files from the same Cloud Storage bucket.
"A String",
],
"name": "A String", # Resource's URI (https://google.aip.dev/122#full-resource-names)
},
],
"targets": [ # If there are multiple targets, each target would get a complete copy of the "joined" source data.
{ # Resource that has been exfiltrated or exfiltrated_to.
"components": [ # Subcomponents of the asset that is exfiltrated - these could be URIs used during exfiltration, table names, databases, filenames, etc. For example, multiple tables may be exfiltrated from the same CloudSQL instance, or multiple files from the same Cloud Storage bucket.
"A String",
],
"name": "A String", # Resource's URI (https://google.aip.dev/122#full-resource-names)
},
],
},
"externalSystems": { # Output only. Third party SIEM/SOAR fields within SCC, contains external system information and external system finding fields.
"a_key": { # Representation of third party SIEM/SOAR fields within SCC.
"assignees": [ # References primary/secondary etc assignees in the external system.
"A String",
],
"externalSystemUpdateTime": "A String", # The most recent time when the corresponding finding's ticket/tracker was updated in the external system.
"externalUid": "A String", # Identifier that's used to track the given finding in the external system.
"name": "A String", # External System Name e.g. jira, demisto, etc. e.g.: `organizations/1234/sources/5678/findings/123456/externalSystems/jira` `folders/1234/sources/5678/findings/123456/externalSystems/jira` `projects/1234/sources/5678/findings/123456/externalSystems/jira`
"status": "A String", # Most recent status of the corresponding finding's ticket/tracker in the external system.
},
},
"externalUri": "A String", # The URI that, if available, points to a web page outside of Security Command Center where additional information about the finding can be found. This field is guaranteed to be either empty or a well formed URL.
"files": [ # File associated with the finding.
{ # File information about the related binary/library used by an executable, or the script used by a script interpreter
"contents": "A String", # Prefix of the file contents as a JSON encoded string. (Currently only populated for Malicious Script Executed findings.)
"hashedSize": "A String", # The length in bytes of the file prefix that was hashed. If hashed_size == size, any hashes reported represent the entire file.
"partiallyHashed": True or False, # True when the hash covers only a prefix of the file.
"path": "A String", # Absolute path of the file as a JSON encoded string.
"sha256": "A String", # SHA256 hash of the first hashed_size bytes of the file encoded as a hex string. If hashed_size == size, sha256 represents the SHA256 hash of the entire file.
"size": "A String", # Size of the file in bytes.
},
],
"findingClass": "A String", # The class of the finding.
"iamBindings": [ # Represents IAM bindings associated with the Finding.
{ # Represents a particular IAM binding, which captures a member's role addition, removal, or state.
"action": "A String", # The action that was performed on a Binding.
"member": "A String", # A single identity requesting access for a Cloud Platform resource, e.g. "foo@google.com".
"role": "A String", # Role that is assigned to "members". For example, "roles/viewer", "roles/editor", or "roles/owner".
},
],
"indicator": { # Represents what's commonly known as an Indicator of compromise (IoC) in computer forensics. This is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Reference: https://en.wikipedia.org/wiki/Indicator_of_compromise # Represents what's commonly known as an Indicator of compromise (IoC) in computer forensics. This is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Reference: https://en.wikipedia.org/wiki/Indicator_of_compromise
"domains": [ # List of domains associated to the Finding.
"A String",
],
"ipAddresses": [ # List of ip addresses associated to the Finding.
"A String",
],
"signatures": [ # The list of matched signatures indicating that the given process is present in the environment.
{ # Indicates what signature matched this process.
"memoryHashSignature": { # A signature corresponding to memory page hashes. # Signature indicating that a binary family was matched.
"binaryFamily": "A String", # The binary family.
"detections": [ # The list of memory hash detections contributing to the binary family match.
{ # Memory hash detection contributing to the binary family match.
"binary": "A String", # The name of the binary associated with the memory hash signature detection.
"percentPagesMatched": 3.14, # The percentage of memory page hashes in the signature that were matched.
},
],
},
"yaraRuleSignature": { # A signature corresponding to a YARA rule. # Signature indicating that a YARA rule was matched.
"yaraRule": "A String", # The name of the YARA rule.
},
},
],
"uris": [ # The list of URIs associated to the Findings.
"A String",
],
},
"kubernetes": { # Kubernetes related attributes. # Kubernetes resources associated with the finding.
"accessReviews": [ # Provides information on any Kubernetes access reviews (i.e. privilege checks) relevant to the finding.
{ # Conveys information about a Kubernetes access review (e.g. kubectl auth can-i ...) that was involved in a finding.
"group": "A String", # Group is the API Group of the Resource. "*" means all.
"name": "A String", # Name is the name of the resource being requested. Empty means all.
"ns": "A String", # Namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces. Both are represented by "" (empty).
"resource": "A String", # Resource is the optional resource type requested. "*" means all.
"subresource": "A String", # Subresource is the optional subresource type.
"verb": "A String", # Verb is a Kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy. "*" means all.
"version": "A String", # Version is the API Version of the Resource. "*" means all.
},
],
"bindings": [ # Provides Kubernetes role binding information for findings that involve RoleBindings or ClusterRoleBindings.
{ # Represents a Kubernetes RoleBinding or ClusterRoleBinding.
"name": "A String", # Name for binding.
"ns": "A String", # Namespace for binding.
"role": { # Kubernetes Role or ClusterRole. # The Role or ClusterRole referenced by the binding.
"kind": "A String", # Role type.
"name": "A String", # Role name.
"ns": "A String", # Role namespace.
},
"subjects": [ # Represents the subjects(s) bound to the role. Not always available for PATCH requests.
{ # Represents a Kubernetes Subject.
"kind": "A String", # Authentication type for subject.
"name": "A String", # Name for subject.
"ns": "A String", # Namespace for subject.
},
],
},
],
"nodePools": [ # GKE Node Pools associated with the finding. This field will contain NodePool information for each Node, when it is available.
{ # Provides GKE Node Pool information.
"name": "A String", # Kubernetes Node pool name.
"nodes": [ # Nodes associated with the finding.
{ # Kubernetes Nodes associated with the finding.
"name": "A String", # Full Resource name of the Compute Engine VM running the cluster node.
},
],
},
],
"nodes": [ # Provides Kubernetes Node information.
{ # Kubernetes Nodes associated with the finding.
"name": "A String", # Full Resource name of the Compute Engine VM running the cluster node.
},
],
"pods": [ # Kubernetes Pods associated with the finding. This field will contain Pod records for each container that is owned by a Pod.
{ # Kubernetes Pod.
"containers": [ # Pod containers associated with this finding, if any.
{ # Container associated with the finding.
"imageId": "A String", # Optional container image id, when provided by the container runtime. Uniquely identifies the container image launched using a container image digest.
"labels": [ # Container labels, as provided by the container runtime.
{ # Label represents a generic name=value label. Label has separate name and value fields to support filtering with contains().
"name": "A String", # Label name.
"value": "A String", # Label value.
},
],
"name": "A String", # Container name.
"uri": "A String", # Container image URI provided when configuring a pod/container. May identify a container image version using mutable tags.
},
],
"labels": [ # Pod labels. For Kubernetes containers, these are applied to the container.
{ # Label represents a generic name=value label. Label has separate name and value fields to support filtering with contains().
"name": "A String", # Label name.
"value": "A String", # Label value.
},
],
"name": "A String", # Kubernetes Pod name.
"ns": "A String", # Kubernetes Pod namespace.
},
],
"roles": [ # Provides Kubernetes role information for findings that involve Roles or ClusterRoles.
{ # Kubernetes Role or ClusterRole.
"kind": "A String", # Role type.
"name": "A String", # Role name.
"ns": "A String", # Role namespace.
},
],
},
"mitreAttack": { # MITRE ATT&CK tactics and techniques related to this finding. See: https://attack.mitre.org # MITRE ATT&CK tactics and techniques related to this finding. See: https://attack.mitre.org
"additionalTactics": [ # Additional MITRE ATT&CK tactics related to this finding, if any.
"A String",
],
"additionalTechniques": [ # Additional MITRE ATT&CK techniques related to this finding, if any, along with any of their respective parent techniques.
"A String",
],
"primaryTactic": "A String", # The MITRE ATT&CK tactic most closely represented by this finding, if any.
"primaryTechniques": [ # The MITRE ATT&CK technique most closely represented by this finding, if any. primary_techniques is a repeated field because there are multiple levels of MITRE ATT&CK techniques. If the technique most closely represented by this finding is a sub-technique (e.g. `SCANNING_IP_BLOCKS`), both the sub-technique and its parent technique(s) will be listed (e.g. `SCANNING_IP_BLOCKS`, `ACTIVE_SCANNING`).
"A String",
],
"version": "A String", # The MITRE ATT&CK version referenced by the above fields. E.g. "8".
},
"mute": "A String", # Indicates the mute state of a finding (either muted, unmuted or undefined). Unlike other attributes of a finding, a finding provider shouldn't set the value of mute.
"muteInitiator": "A String", # First known as mute_annotation. Records additional information about the mute operation e.g. mute config that muted the finding, user who muted the finding, etc. Unlike other attributes of a finding, a finding provider shouldn't set the value of mute.
"muteUpdateTime": "A String", # Output only. The most recent time this finding was muted or unmuted.
"name": "A String", # The relative resource name of this finding. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name Example: "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}"
"nextSteps": "A String", # Next steps associate to the finding.
"parent": "A String", # The relative resource name of the source the finding belongs to. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name This field is immutable after creation time. For example: "organizations/{organization_id}/sources/{source_id}"
"parentDisplayName": "A String", # Output only. The human readable display name of the finding source such as "Event Threat Detection" or "Security Health Analytics".
"processes": [ # Represents operating system processes associated with the Finding.
{ # Represents an operating system process.
"args": [ # Process arguments as JSON encoded strings.
"A String",
],
"argumentsTruncated": True or False, # True if `args` is incomplete.
"binary": { # File information about the related binary/library used by an executable, or the script used by a script interpreter # File information for the process executable.
"contents": "A String", # Prefix of the file contents as a JSON encoded string. (Currently only populated for Malicious Script Executed findings.)
"hashedSize": "A String", # The length in bytes of the file prefix that was hashed. If hashed_size == size, any hashes reported represent the entire file.
"partiallyHashed": True or False, # True when the hash covers only a prefix of the file.
"path": "A String", # Absolute path of the file as a JSON encoded string.
"sha256": "A String", # SHA256 hash of the first hashed_size bytes of the file encoded as a hex string. If hashed_size == size, sha256 represents the SHA256 hash of the entire file.
"size": "A String", # Size of the file in bytes.
},
"envVariables": [ # Process environment variables.
{ # EnvironmentVariable is a name-value pair to store environment variables for Process.
"name": "A String", # Environment variable name as a JSON encoded string.
"val": "A String", # Environment variable value as a JSON encoded string.
},
],
"envVariablesTruncated": True or False, # True if `env_variables` is incomplete.
"libraries": [ # File information for libraries loaded by the process.
{ # File information about the related binary/library used by an executable, or the script used by a script interpreter
"contents": "A String", # Prefix of the file contents as a JSON encoded string. (Currently only populated for Malicious Script Executed findings.)
"hashedSize": "A String", # The length in bytes of the file prefix that was hashed. If hashed_size == size, any hashes reported represent the entire file.
"partiallyHashed": True or False, # True when the hash covers only a prefix of the file.
"path": "A String", # Absolute path of the file as a JSON encoded string.
"sha256": "A String", # SHA256 hash of the first hashed_size bytes of the file encoded as a hex string. If hashed_size == size, sha256 represents the SHA256 hash of the entire file.
"size": "A String", # Size of the file in bytes.
},
],
"name": "A String", # The process name visible in utilities like `top` and `ps`; it can be accessed via `/proc/[pid]/comm` and changed with `prctl(PR_SET_NAME)`.
"parentPid": "A String", # The parent process id.
"pid": "A String", # The process id.
"script": { # File information about the related binary/library used by an executable, or the script used by a script interpreter # When the process represents the invocation of a script, `binary` provides information about the interpreter while `script` provides information about the script file provided to the interpreter.
"contents": "A String", # Prefix of the file contents as a JSON encoded string. (Currently only populated for Malicious Script Executed findings.)
"hashedSize": "A String", # The length in bytes of the file prefix that was hashed. If hashed_size == size, any hashes reported represent the entire file.
"partiallyHashed": True or False, # True when the hash covers only a prefix of the file.
"path": "A String", # Absolute path of the file as a JSON encoded string.
"sha256": "A String", # SHA256 hash of the first hashed_size bytes of the file encoded as a hex string. If hashed_size == size, sha256 represents the SHA256 hash of the entire file.
"size": "A String", # Size of the file in bytes.
},
},
],
"resourceName": "A String", # For findings on Google Cloud resources, the full resource name of the Google Cloud resource this finding is for. See: https://cloud.google.com/apis/design/resource_names#full_resource_name When the finding is for a non-Google Cloud resource, the resourceName can be a customer or partner defined string. This field is immutable after creation time.
"securityMarks": { # User specified security marks that are attached to the parent Security Command Center resource. Security marks are scoped within a Security Command Center organization -- they can be modified and viewed by all users who have proper permissions on the organization. # Output only. User specified security marks. These marks are entirely managed by the user and come from the SecurityMarks resource that belongs to the finding.
"canonicalName": "A String", # The canonical name of the marks. Examples: "organizations/{organization_id}/assets/{asset_id}/securityMarks" "folders/{folder_id}/assets/{asset_id}/securityMarks" "projects/{project_number}/assets/{asset_id}/securityMarks" "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}/securityMarks" "folders/{folder_id}/sources/{source_id}/findings/{finding_id}/securityMarks" "projects/{project_number}/sources/{source_id}/findings/{finding_id}/securityMarks"
"marks": { # Mutable user specified security marks belonging to the parent resource. Constraints are as follows: * Keys and values are treated as case insensitive * Keys must be between 1 - 256 characters (inclusive) * Keys must be letters, numbers, underscores, or dashes * Values have leading and trailing whitespace trimmed, remaining characters must be between 1 - 4096 characters (inclusive)
"a_key": "A String",
},
"name": "A String", # The relative resource name of the SecurityMarks. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name Examples: "organizations/{organization_id}/assets/{asset_id}/securityMarks" "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}/securityMarks".
},
"severity": "A String", # The severity of the finding. This field is managed by the source that writes the finding.
"sourceProperties": { # Source specific properties. These properties are managed by the source that writes the finding. The key names in the source_properties map must be between 1 and 255 characters, and must start with a letter and contain alphanumeric characters or underscores only.
"a_key": "",
},
"state": "A String", # The state of the finding.
"vulnerability": { # Refers to common vulnerability fields e.g. cve, cvss, cwe etc. # Represents vulnerability specific fields like cve, cvss scores etc. CVE stands for Common Vulnerabilities and Exposures (https://cve.mitre.org/about/)
"cve": { # CVE stands for Common Vulnerabilities and Exposures. More information: https://cve.mitre.org # CVE stands for Common Vulnerabilities and Exposures (https://cve.mitre.org/about/)
"cvssv3": { # Common Vulnerability Scoring System version 3. # Describe Common Vulnerability Scoring System specified at https://www.first.org/cvss/v3.1/specification-document
"attackComplexity": "A String", # This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.
"attackVector": "A String", # Base Metrics Represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments. This metric reflects the context by which vulnerability exploitation is possible.
"availabilityImpact": "A String", # This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.
"baseScore": 3.14, # The base score is a function of the base metric scores.
"confidentialityImpact": "A String", # This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.
"integrityImpact": "A String", # This metric measures the impact to integrity of a successfully exploited vulnerability.
"privilegesRequired": "A String", # This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.
"scope": "A String", # The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope.
"userInteraction": "A String", # This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component.
},
"id": "A String", # The unique identifier for the vulnerability. e.g. CVE-2021-34527
"references": [ # Additional information about the CVE. e.g. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527
{ # Additional Links
"source": "A String", # Source of the reference e.g. NVD
"uri": "A String", # Uri for the mentioned source e.g. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527.
},
],
"upstreamFixAvailable": True or False, # Whether upstream fix is available for the CVE.
},
},
}
updateMask: string, The FieldMask to use when updating the finding resource. This field should not be specified when creating a finding. When updating a finding, an empty mask is treated as updating all mutable fields and replacing source_properties. Individual source_properties can be added/updated by using "source_properties." in the field mask.
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Security Command Center finding. A finding is a record of assessment data like security, risk, health, or privacy, that is ingested into Security Command Center for presentation, notification, analysis, policy testing, and enforcement. For example, a cross-site scripting (XSS) vulnerability in an App Engine application is a finding.
"access": { # Represents an access event. # Access details associated to the Finding, such as more information on the caller, which method was accessed, from where, etc.
"callerIp": "A String", # Caller's IP address, such as "1.1.1.1".
"callerIpGeo": { # Represents a geographical location for a given access. # The caller IP's geolocation, which identifies where the call came from.
"regionCode": "A String", # A CLDR.
},
"methodName": "A String", # The method that the service account called, e.g. "SetIamPolicy".
"principalEmail": "A String", # Associated email, such as "foo@google.com". The email address of the authenticated user (or service account on behalf of third party principal) making the request. For third party identity callers, the `principal_subject` field is populated instead of this field. For privacy reasons, the principal email address is sometimes redacted. For more information, see [Caller identities in audit logs](https://cloud.google.com/logging/docs/audit#user-id).
"principalSubject": "A String", # A string representing the principal_subject associated with the identity. As compared to `principal_email`, supports principals that aren't associated with email addresses, such as third party principals. For most identities, the format will be `principal://iam.googleapis.com/{identity pool name}/subjects/{subject}` except for some GKE identities (GKE_WORKLOAD, FREEFORM, GKE_HUB_WORKLOAD) that are still in the legacy format `serviceAccount:{identity pool name}[{subject}]`
"serviceAccountDelegationInfo": [ # Identity delegation history of an authenticated service account that makes the request. It contains information on the real authorities that try to access GCP resources by delegating on a service account. When multiple authorities are present, they are guaranteed to be sorted based on the original ordering of the identity delegation events.
{ # Identity delegation history of an authenticated service account.
"principalEmail": "A String", # The email address of a Google account.
"principalSubject": "A String", # A string representing the principal_subject associated with the identity. As compared to `principal_email`, supports principals that aren't associated with email addresses, such as third party principals. For most identities, the format will be `principal://iam.googleapis.com/{identity pool name}/subjects/{subject}` except for some GKE identities (GKE_WORKLOAD, FREEFORM, GKE_HUB_WORKLOAD) that are still in the legacy format `serviceAccount:{identity pool name}[{subject}]`
},
],
"serviceAccountKeyName": "A String", # The name of the service account key used to create or exchange credentials for authenticating the service account making the request. This is a scheme-less URI full resource name. For example: "//iam.googleapis.com/projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}"
"serviceName": "A String", # This is the API service that the service account made a call to, e.g. "iam.googleapis.com"
"userAgentFamily": "A String", # What kind of user agent is associated, e.g. operating system shells, embedded or stand-alone applications, etc.
"userName": "A String", # A string representing a username. This is likely not an IAM principal. For instance, this may be the system user name if the finding is VM-related, or this may be some type of application login user name, depending on the type of finding.
},
"canonicalName": "A String", # The canonical name of the finding. It's either "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}", "folders/{folder_id}/sources/{source_id}/findings/{finding_id}" or "projects/{project_number}/sources/{source_id}/findings/{finding_id}", depending on the closest CRM ancestor of the resource associated with the finding.
"category": "A String", # The additional taxonomy group within findings from a given source. This field is immutable after creation time. Example: "XSS_FLASH_INJECTION"
"compliances": [ # Contains compliance information for security standards associated to the finding.
{ # Contains compliance information about a security standard indicating unmet recommendations.
"ids": [ # Policies within the standard/benchmark e.g. A.12.4.1
"A String",
],
"standard": "A String", # Refers to industry wide standards or benchmarks e.g. "cis", "pci", "owasp", etc.
"version": "A String", # Version of the standard/benchmark e.g. 1.1
},
],
"connections": [ # Contains information about the IP connection associated with the finding.
{ # Contains information about the IP connection associated with the finding.
"destinationIp": "A String", # Destination IP address. Not present for sockets that are listening and not connected.
"destinationPort": 42, # Destination port. Not present for sockets that are listening and not connected.
"protocol": "A String", # IANA Internet Protocol Number such as TCP(6) and UDP(17).
"sourceIp": "A String", # Source IP address.
"sourcePort": 42, # Source port.
},
],
"contacts": { # Output only. Map containing the points of contact for the given finding. The key represents the type of contact, while the value contains a list of all the contacts that pertain. Please refer to: https://cloud.google.com/resource-manager/docs/managing-notification-contacts#notification-categories { "security": { "contacts": [ { "email": "person1@company.com" }, { "email": "person2@company.com" } ] } }
"a_key": { # The details pertaining to specific contacts
"contacts": [ # A list of contacts
{ # Representa a single contact's email address
"email": "A String", # An email address e.g. "person123@company.com"
},
],
},
},
"containers": [ # Containers associated with the finding. containers provides information for both Kubernetes and non-Kubernetes containers.
{ # Container associated with the finding.
"imageId": "A String", # Optional container image id, when provided by the container runtime. Uniquely identifies the container image launched using a container image digest.
"labels": [ # Container labels, as provided by the container runtime.
{ # Label represents a generic name=value label. Label has separate name and value fields to support filtering with contains().
"name": "A String", # Label name.
"value": "A String", # Label value.
},
],
"name": "A String", # Container name.
"uri": "A String", # Container image URI provided when configuring a pod/container. May identify a container image version using mutable tags.
},
],
"createTime": "A String", # The time at which the finding was created in Security Command Center.
"database": { # Represents database access information, such as queries. A database may be a sub-resource of an instance (as in the case of CloudSQL instances or Cloud Spanner instances), or the database instance itself. Some database resources may not have the full resource name populated because these resource types are not yet supported by Cloud Asset Inventory (e.g. CloudSQL databases). In these cases only the display name will be provided. # Database associated with the finding.
"displayName": "A String", # The human readable name of the database the user connected to.
"grantees": [ # The target usernames/roles/groups of a SQL privilege grant (not an IAM policy change).
"A String",
],
"name": "A String", # The full resource name of the database the user connected to, if it is supported by CAI. (https://google.aip.dev/122#full-resource-names)
"query": "A String", # The SQL statement associated with the relevant access.
"userName": "A String", # The username used to connect to the DB. This may not necessarily be an IAM principal, and has no required format.
},
"description": "A String", # Contains more detail about the finding.
"eventTime": "A String", # The time the finding was first detected. If an existing finding is updated, then this is the time the update occurred. For example, if the finding represents an open firewall, this property captures the time the detector believes the firewall became open. The accuracy is determined by the detector. If the finding is later resolved, then this time reflects when the finding was resolved. This must not be set to a value greater than the current timestamp.
"exfiltration": { # Exfiltration represents a data exfiltration attempt of one or more sources to one or more targets. Sources represent the source of data that is exfiltrated, and Targets represents the destination the data was copied to. # Represents exfiltration associated with the Finding.
"sources": [ # If there are multiple sources, then the data is considered "joined" between them. For instance, BigQuery can join multiple tables, and each table would be considered a source.
{ # Resource that has been exfiltrated or exfiltrated_to.
"components": [ # Subcomponents of the asset that is exfiltrated - these could be URIs used during exfiltration, table names, databases, filenames, etc. For example, multiple tables may be exfiltrated from the same CloudSQL instance, or multiple files from the same Cloud Storage bucket.
"A String",
],
"name": "A String", # Resource's URI (https://google.aip.dev/122#full-resource-names)
},
],
"targets": [ # If there are multiple targets, each target would get a complete copy of the "joined" source data.
{ # Resource that has been exfiltrated or exfiltrated_to.
"components": [ # Subcomponents of the asset that is exfiltrated - these could be URIs used during exfiltration, table names, databases, filenames, etc. For example, multiple tables may be exfiltrated from the same CloudSQL instance, or multiple files from the same Cloud Storage bucket.
"A String",
],
"name": "A String", # Resource's URI (https://google.aip.dev/122#full-resource-names)
},
],
},
"externalSystems": { # Output only. Third party SIEM/SOAR fields within SCC, contains external system information and external system finding fields.
"a_key": { # Representation of third party SIEM/SOAR fields within SCC.