Creates a finding. The corresponding source must exist for finding creation to succeed.

Scopes

You will need authorization for the https://www.googleapis.com/auth/cloud-platform scope to make a valid call.

If unset, the scope for this method defaults to https://www.googleapis.com/auth/cloud-platform. You can set the scope for this method like this: securitycenter1 --scope <scope> organizations sources-findings-create ...

Required Scalar Argument

  • <parent> (string)
    • Required. Resource name of the new finding's parent. Its format should be "organizations/[organization_id]/sources/[source_id]".

Required Request Value

The request value is a data-structure with various fields. Each field may be a simple scalar or another data-structure. In the latter case it is advised to set the field-cursor to the data-structure's field to specify values more concisely.

For example, a structure like this:

Finding:
  access:
    caller-ip: string
    caller-ip-geo:
      region-code: string
    method-name: string
    principal-email: string
    principal-subject: string
    service-account-key-name: string
    service-name: string
    user-agent: string
    user-agent-family: string
    user-name: string
  application:
    base-uri: string
    full-uri: string
  attack-exposure:
    attack-exposure-result: string
    exposed-high-value-resources-count: integer
    exposed-low-value-resources-count: integer
    exposed-medium-value-resources-count: integer
    latest-calculation-time: string
    score: number
    state: string
  backup-disaster-recovery:
    appliance: string
    applications: [string]
    backup-create-time: string
    backup-template: string
    backup-type: string
    host: string
    policies: [string]
    policy-options: [string]
    profile: string
    storage-pool: string
  canonical-name: string
  category: string
  cloud-dlp-data-profile:
    data-profile: string
    parent-type: string
  cloud-dlp-inspection:
    full-scan: boolean
    info-type: string
    info-type-count: int64
    inspect-job: string
  create-time: string
  database:
    display-name: string
    grantees: [string]
    name: string
    query: string
    user-name: string
    version: string
  description: string
  event-time: string
  exfiltration:
    total-exfiltrated-bytes: string
  external-uri: string
  finding-class: string
  indicator:
    domains: [string]
    ip-addresses: [string]
    uris: [string]
  kernel-rootkit:
    name: string
    unexpected-code-modification: boolean
    unexpected-ftrace-handler: boolean
    unexpected-interrupt-handler: boolean
    unexpected-kernel-code-pages: boolean
    unexpected-kprobe-handler: boolean
    unexpected-processes-in-runqueue: boolean
    unexpected-read-only-data-modification: boolean
    unexpected-system-call-handler: boolean
  mitre-attack:
    additional-tactics: [string]
    additional-techniques: [string]
    primary-tactic: string
    primary-techniques: [string]
    version: string
  module-name: string
  mute: string
  mute-initiator: string
  mute-update-time: string
  name: string
  next-steps: string
  parent: string
  parent-display-name: string
  resource-name: string
  security-marks:
    canonical-name: string
    marks: { string: string }
    name: string
  security-posture:
    changed-policy: string
    name: string
    policy: string
    policy-set: string
    posture-deployment: string
    posture-deployment-resource: string
    revision-id: string
  severity: string
  state: string
  vulnerability:
    cve:
      cvssv3:
        attack-complexity: string
        attack-vector: string
        availability-impact: string
        base-score: number
        confidentiality-impact: string
        integrity-impact: string
        privileges-required: string
        scope: string
        user-interaction: string
      exploitation-activity: string
      id: string
      impact: string
      observed-in-the-wild: boolean
      upstream-fix-available: boolean
      zero-day: boolean
    fixed-package:
      cpe-uri: string
      package-name: string
      package-type: string
      package-version: string
    offending-package:
      cpe-uri: string
      package-name: string
      package-type: string
      package-version: string
    security-bulletin:
      bulletin-id: string
      submission-time: string
      suggested-upgrade-version: string

can be set completely with the following arguments which are assumed to be executed in the given order. Note how the cursor position is adjusted to the respective structures, allowing simple field names to be used most of the time.

  • -r .access caller-ip=ipsum
    • Caller's IP address, such as "1.1.1.1".
  • caller-ip-geo region-code=gubergren

    • A CLDR.
  • .. method-name=invidunt

    • The method that the service account called, e.g. "SetIamPolicy".
  • principal-email=sea
    • Associated email, such as "foo@google.com". The email address of the authenticated user or a service account acting on behalf of a third party principal making the request. For third party identity callers, the principal_subject field is populated instead of this field. For privacy reasons, the principal email address is sometimes redacted. For more information, see Caller identities in audit logs.
  • principal-subject=duo
    • A string that represents the principal_subject that is associated with the identity. Unlike principal_email, principal_subject supports principals that aren't associated with email addresses, such as third party principals. For most identities, the format is principal://iam.googleapis.com/{identity pool name}/subject/{subject}. Some GKE identities, such as GKE_WORKLOAD, FREEFORM, and GKE_HUB_WORKLOAD, still use the legacy format serviceAccount:{identity pool name}[{subject}].
  • service-account-key-name=sea
    • The name of the service account key that was used to create or exchange credentials when authenticating the service account that made the request. This is a scheme-less URI full resource name. For example: "//iam.googleapis.com/projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}".
  • service-name=stet
    • This is the API service that the service account made a call to, e.g. "iam.googleapis.com"
  • user-agent=sadipscing
    • The caller's user agent string associated with the finding.
  • user-agent-family=no
    • Type of user agent associated with the finding. For example, an operating system shell or an embedded or standalone application.
  • user-name=tempor

    • A string that represents a username. The username provided depends on the type of the finding and is likely not an IAM principal. For example, this can be a system username if the finding is related to a virtual machine, or it can be an application login username.
  • ..application base-uri=ipsum

    • The base URI that identifies the network location of the application in which the vulnerability was detected. For example, http://example.com.
  • full-uri=sea

    • The full URI with payload that can be used to reproduce the vulnerability. For example, http://example.com?p=aMmYgI6H.
  • ..attack-exposure attack-exposure-result=sit

    • The resource name of the attack path simulation result that contains the details regarding this attack exposure score. Example: organizations/123/simulations/456/attackExposureResults/789
  • exposed-high-value-resources-count=99
    • The number of high value resources that are exposed as a result of this finding.
  • exposed-low-value-resources-count=46
    • The number of high value resources that are exposed as a result of this finding.
  • exposed-medium-value-resources-count=74
    • The number of medium value resources that are exposed as a result of this finding.
  • latest-calculation-time=vero
    • The most recent time the attack exposure was updated on this finding.
  • score=0.33057261193967324
    • A number between 0 (inclusive) and infinity that represents how important this finding is to remediate. The higher the score, the more important it is to remediate.
  • state=gubergren

    • What state this AttackExposure is in. This captures whether or not an attack exposure has been calculated or not.
  • ..backup-disaster-recovery appliance=et

    • The name of the Backup and DR appliance that captures, moves, and manages the lifecycle of backup data. For example, backup-server-57137.
  • applications=invidunt
    • The names of Backup and DR applications. An application is a VM, database, or file system on a managed host monitored by a backup and recovery appliance. For example, centos7-01-vol00, centos7-01-vol01, centos7-01-vol02.
    • Each invocation of this argument appends the given value to the array.
  • backup-create-time=magna
    • The timestamp at which the Backup and DR backup was created.
  • backup-template=sit
    • The name of a Backup and DR template which comprises one or more backup policies. See the Backup and DR documentation for more information. For example, snap-ov.
  • backup-type=gubergren
    • The backup type of the Backup and DR image. For example, Snapshot, Remote Snapshot, OnVault.
  • host=elitr
    • The name of a Backup and DR host, which is managed by the backup and recovery appliance and known to the management console. The host can be of type Generic (for example, Compute Engine, SQL Server, Oracle DB, SMB file system, etc.), vCenter, or an ESX server. See the Backup and DR documentation on hosts for more information. For example, centos7-01.
  • policies=ipsum
    • The names of Backup and DR policies that are associated with a template and that define when to run a backup, how frequently to run a backup, and how long to retain the backup image. For example, onvaults.
    • Each invocation of this argument appends the given value to the array.
  • policy-options=kasd
    • The names of Backup and DR advanced policy options of a policy applying to an application. See the Backup and DR documentation on policy options. For example, skipofflineappsincongrp, nounmap.
    • Each invocation of this argument appends the given value to the array.
  • profile=dolore
  • storage-pool=lorem

    • The name of the Backup and DR storage pool that the backup and recovery appliance is storing data in. The storage pool could be of type Cloud, Primary, Snapshot, or OnVault. See the Backup and DR documentation on storage pools. For example, DiskPoolOne.
  • .. canonical-name=amet

    • The canonical name of the finding. It's either "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}", "folders/{folder_id}/sources/{source_id}/findings/{finding_id}" or "projects/{project_number}/sources/{source_id}/findings/{finding_id}", depending on the closest CRM ancestor of the resource associated with the finding.
  • category=ipsum
    • The additional taxonomy group within findings from a given source. This field is immutable after creation time. Example: "XSS_FLASH_INJECTION"
  • cloud-dlp-data-profile data-profile=lorem
    • Name of the data profile, for example, projects/123/locations/europe/tableProfiles/8383929.
  • parent-type=dolores

    • The resource hierarchy level at which the data profile was generated.
  • ..cloud-dlp-inspection full-scan=false

    • Whether Cloud DLP scanned the complete resource or a sampled subset.
  • info-type=stet
    • The type of information (or infoType) found, for example, EMAIL_ADDRESS or STREET_ADDRESS.
  • info-type-count=-23
    • The number of times Cloud DLP found this infoType within this job and resource.
  • inspect-job=consetetur

    • Name of the inspection job, for example, projects/123/locations/europe/dlpJobs/i-8383929.
  • .. create-time=takimata

    • The time at which the finding was created in Security Command Center.
  • database display-name=sed
    • The human-readable name of the database that the user connected to.
  • grantees=nonumy
    • The target usernames, roles, or groups of an SQL privilege grant, which is not an IAM policy change.
    • Each invocation of this argument appends the given value to the array.
  • name=sea
    • Some database resources may not have the full resource name populated because these resource types are not yet supported by Cloud Asset Inventory (e.g. Cloud SQL databases). In these cases only the display name will be provided. The full resource name of the database that the user connected to, if it is supported by Cloud Asset Inventory.
  • query=eos
    • The SQL statement that is associated with the database access.
  • user-name=dolore
    • The username used to connect to the database. The username might not be an IAM principal and does not have a set format.
  • version=accusam

  • .. description=elitr

    • Contains more details about the finding.
  • event-time=sed
    • The time the finding was first detected. If an existing finding is updated, then this is the time the update occurred. For example, if the finding represents an open firewall, this property captures the time the detector believes the firewall became open. The accuracy is determined by the detector. If the finding is later resolved, then this time reflects when the finding was resolved. This must not be set to a value greater than the current timestamp.
  • exfiltration total-exfiltrated-bytes=labore

    • Total exfiltrated bytes processed for the entire job.
  • .. external-uri=et

    • The URI that, if available, points to a web page outside of Security Command Center where additional information about the finding can be found. This field is guaranteed to be either empty or a well formed URL.
  • finding-class=eirmod
    • The class of the finding.
  • indicator domains=sed
    • List of domains associated to the Finding.
    • Each invocation of this argument appends the given value to the array.
  • ip-addresses=at
    • The list of IP addresses that are associated with the finding.
    • Each invocation of this argument appends the given value to the array.
  • uris=stet

    • The list of URIs associated to the Findings.
    • Each invocation of this argument appends the given value to the array.
  • ..kernel-rootkit name=sit

    • Rootkit name, when available.
  • unexpected-code-modification=true
    • True if unexpected modifications of kernel code memory are present.
  • unexpected-ftrace-handler=true
    • True if ftrace points are present with callbacks pointing to regions that are not in the expected kernel or module code range.
  • unexpected-interrupt-handler=false
    • True if interrupt handlers that are are not in the expected kernel or module code regions are present.
  • unexpected-kernel-code-pages=false
    • True if kernel code pages that are not in the expected kernel or module code regions are present.
  • unexpected-kprobe-handler=false
    • True if kprobe points are present with callbacks pointing to regions that are not in the expected kernel or module code range.
  • unexpected-processes-in-runqueue=false
    • True if unexpected processes in the scheduler run queue are present. Such processes are in the run queue, but not in the process task list.
  • unexpected-read-only-data-modification=false
    • True if unexpected modifications of kernel read-only data memory are present.
  • unexpected-system-call-handler=true

    • True if system call handlers that are are not in the expected kernel or module code regions are present.
  • ..mitre-attack additional-tactics=erat

    • Additional MITRE ATT&CK tactics related to this finding, if any.
    • Each invocation of this argument appends the given value to the array.
  • additional-techniques=dolore
    • Additional MITRE ATT&CK techniques related to this finding, if any, along with any of their respective parent techniques.
    • Each invocation of this argument appends the given value to the array.
  • primary-tactic=vero
    • The MITRE ATT&CK tactic most closely represented by this finding, if any.
  • primary-techniques=ea
    • The MITRE ATT&CK technique most closely represented by this finding, if any. primary_techniques is a repeated field because there are multiple levels of MITRE ATT&CK techniques. If the technique most closely represented by this finding is a sub-technique (e.g. SCANNING_IP_BLOCKS), both the sub-technique and its parent technique(s) will be listed (e.g. SCANNING_IP_BLOCKS, ACTIVE_SCANNING).
    • Each invocation of this argument appends the given value to the array.
  • version=et

    • The MITRE ATT&CK version referenced by the above fields. E.g. "8".
  • .. module-name=amet.

    • Unique identifier of the module which generated the finding. Example: folders/598186756061/securityHealthAnalyticsSettings/customModules/56799441161885
  • mute=eirmod
    • Indicates the mute state of a finding (either muted, unmuted or undefined). Unlike other attributes of a finding, a finding provider shouldn't set the value of mute.
  • mute-initiator=sanctus
    • Records additional information about the mute operation, for example, the mute configuration that muted the finding and the user who muted the finding.
  • mute-update-time=sed
    • Output only. The most recent time this finding was muted or unmuted.
  • name=dolor
    • The relative resource name of the finding. Example: "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}", "folders/{folder_id}/sources/{source_id}/findings/{finding_id}", "projects/{project_id}/sources/{source_id}/findings/{finding_id}".
  • next-steps=et
    • Steps to address the finding.
  • parent=et
    • The relative resource name of the source the finding belongs to. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name This field is immutable after creation time. For example: "organizations/{organization_id}/sources/{source_id}"
  • parent-display-name=erat
    • Output only. The human readable display name of the finding source such as "Event Threat Detection" or "Security Health Analytics".
  • resource-name=eos
    • For findings on Google Cloud resources, the full resource name of the Google Cloud resource this finding is for. See: https://cloud.google.com/apis/design/resource_names#full_resource_name When the finding is for a non-Google Cloud resource, the resourceName can be a customer or partner defined string. This field is immutable after creation time.
  • security-marks canonical-name=nonumy
    • The canonical name of the marks. Examples: "organizations/{organization_id}/assets/{asset_id}/securityMarks" "folders/{folder_id}/assets/{asset_id}/securityMarks" "projects/{project_number}/assets/{asset_id}/securityMarks" "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}/securityMarks" "folders/{folder_id}/sources/{source_id}/findings/{finding_id}/securityMarks" "projects/{project_number}/sources/{source_id}/findings/{finding_id}/securityMarks"
  • marks=key=ea
    • Mutable user specified security marks belonging to the parent resource. Constraints are as follows: * Keys and values are treated as case insensitive * Keys must be between 1 - 256 characters (inclusive) * Keys must be letters, numbers, underscores, or dashes * Values have leading and trailing whitespace trimmed, remaining characters must be between 1 - 4096 characters (inclusive)
    • the value will be associated with the given key
  • name=aliquyam

    • The relative resource name of the SecurityMarks. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name Examples: "organizations/{organization_id}/assets/{asset_id}/securityMarks" "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}/securityMarks".
  • ..security-posture changed-policy=nonumy

    • The name of the updated policy, for example, projects/{project_id}/policies/{constraint_name}.
  • name=stet
    • Name of the posture, for example, CIS-Posture.
  • policy=rebum.
    • The ID of the updated policy, for example, compute-policy-1.
  • policy-set=eirmod
    • The name of the updated policyset, for example, cis-policyset.
  • posture-deployment=dolores
    • The name of the posture deployment, for example, organizations/{org_id}/posturedeployments/{posture_deployment_id}.
  • posture-deployment-resource=aliquyam
    • The project, folder, or organization on which the posture is deployed, for example, projects/{project_number}.
  • revision-id=sanctus

    • The version of the posture, for example, c7cfa2a8.
  • .. severity=invidunt

    • The severity of the finding. This field is managed by the source that writes the finding.
  • state=dolor
    • The state of the finding.
  • vulnerability.cve.cvssv3 attack-complexity=eos
    • This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.
  • attack-vector=magna
    • Base Metrics Represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments. This metric reflects the context by which vulnerability exploitation is possible.
  • availability-impact=no
    • This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.
  • base-score=0.699203313612314
    • The base score is a function of the base metric scores.
  • confidentiality-impact=aliquyam
    • This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.
  • integrity-impact=consetetur
    • This metric measures the impact to integrity of a successfully exploited vulnerability.
  • privileges-required=ea
    • This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.
  • scope=lorem
    • The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope.
  • user-interaction=elitr

    • This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component.
  • .. exploitation-activity=justo

    • The exploitation activity of the vulnerability in the wild.
  • id=lorem
    • The unique identifier for the vulnerability. e.g. CVE-2021-34527
  • impact=labore
    • The potential impact of the vulnerability if it was to be exploited.
  • observed-in-the-wild=true
    • Whether or not the vulnerability has been observed in the wild.
  • upstream-fix-available=false
    • Whether upstream fix is available for the CVE.
  • zero-day=false

    • Whether or not the vulnerability was zero day when the finding was published.
  • ..fixed-package cpe-uri=sanctus

    • The CPE URI where the vulnerability was detected.
  • package-name=labore
    • The name of the package where the vulnerability was detected.
  • package-type=amet
    • Type of package, for example, os, maven, or go.
  • package-version=et

    • The version of the package.
  • ..offending-package cpe-uri=dolore

    • The CPE URI where the vulnerability was detected.
  • package-name=voluptua.
    • The name of the package where the vulnerability was detected.
  • package-type=sit
    • Type of package, for example, os, maven, or go.
  • package-version=sanctus

    • The version of the package.
  • ..security-bulletin bulletin-id=ipsum

    • ID of the bulletin corresponding to the vulnerability.
  • submission-time=eirmod
    • Submission time of this Security Bulletin.
  • suggested-upgrade-version=vero
    • This represents a version that the cluster receiving this notification should be upgraded to, based on its current version. For example, 1.15.0

About Cursors

The cursor position is key to comfortably set complex nested structures. The following rules apply:

  • The cursor position is always set relative to the current one, unless the field name starts with the . character. Fields can be nested such as in -r f.s.o .
  • The cursor position is set relative to the top-level structure if it starts with ., e.g. -r .s.s
  • You can also set nested fields without setting the cursor explicitly. For example, to set a value relative to the current cursor position, you would specify -r struct.sub_struct=bar.
  • You can move the cursor one level up by using ... Each additional . moves it up one additional level. E.g. ... would go three levels up.

Optional Output Flags

The method's return value a JSON encoded structure, which will be written to standard output by default.

  • -o out
    • out specifies the destination to which to write the server's result to. It will be a JSON-encoded structure. The destination may be - to indicate standard output, or a filepath that is to contain the received bytes. If unset, it defaults to standard output.

Optional Method Properties

You may set the following properties to further configure the call. Please note that -p is followed by one or more key-value-pairs, and is called like this -p k1=v1 k2=v2 even though the listing below repeats the -p for completeness.

  • -p finding-id=string
    • Required. Unique identifier provided by the client within the parent scope. It must be alphanumeric and less than or equal to 32 characters and greater than 0 characters in length.

Optional General Properties

The following properties can configure any call, and are not specific to this method.

  • -p $-xgafv=string

    • V1 error format.
  • -p access-token=string

    • OAuth access token.
  • -p alt=string

    • Data format for response.
  • -p callback=string

    • JSONP
  • -p fields=string

    • Selector specifying which fields to include in a partial response.
  • -p key=string

    • API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • -p oauth-token=string

    • OAuth 2.0 token for the current user.
  • -p pretty-print=boolean

    • Returns response with indentations and line breaks.
  • -p quota-user=string

    • Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • -p upload-type=string

    • Legacy upload protocol for media (e.g. "media", "multipart").
  • -p upload-protocol=string

    • Upload protocol for media (e.g. "raw", "multipart").