Creates or updates a finding. The corresponding source must exist for a finding creation to succeed.
Scopes
You will need authorization for the https://www.googleapis.com/auth/cloud-platform scope to make a valid call.
If unset, the scope for this method defaults to https://www.googleapis.com/auth/cloud-platform.
You can set the scope for this method like this: securitycenter1 --scope <scope> organizations sources-findings-patch ...
Required Scalar Argument
- <name> (string)
- The relative resource name of the finding. Example: "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}", "folders/{folder_id}/sources/{source_id}/findings/{finding_id}", "projects/{project_id}/sources/{source_id}/findings/{finding_id}".
Required Request Value
The request value is a data-structure with various fields. Each field may be a simple scalar or another data-structure. In the latter case it is advised to set the field-cursor to the data-structure's field to specify values more concisely.
For example, a structure like this:
Finding:
access:
caller-ip: string
caller-ip-geo:
region-code: string
method-name: string
principal-email: string
principal-subject: string
service-account-key-name: string
service-name: string
user-agent: string
user-agent-family: string
user-name: string
application:
base-uri: string
full-uri: string
attack-exposure:
attack-exposure-result: string
exposed-high-value-resources-count: integer
exposed-low-value-resources-count: integer
exposed-medium-value-resources-count: integer
latest-calculation-time: string
score: number
state: string
backup-disaster-recovery:
appliance: string
applications: [string]
backup-create-time: string
backup-template: string
backup-type: string
host: string
policies: [string]
policy-options: [string]
profile: string
storage-pool: string
canonical-name: string
category: string
cloud-dlp-data-profile:
data-profile: string
parent-type: string
cloud-dlp-inspection:
full-scan: boolean
info-type: string
info-type-count: int64
inspect-job: string
create-time: string
database:
display-name: string
grantees: [string]
name: string
query: string
user-name: string
version: string
description: string
event-time: string
exfiltration:
total-exfiltrated-bytes: string
external-uri: string
finding-class: string
indicator:
domains: [string]
ip-addresses: [string]
uris: [string]
kernel-rootkit:
name: string
unexpected-code-modification: boolean
unexpected-ftrace-handler: boolean
unexpected-interrupt-handler: boolean
unexpected-kernel-code-pages: boolean
unexpected-kprobe-handler: boolean
unexpected-processes-in-runqueue: boolean
unexpected-read-only-data-modification: boolean
unexpected-system-call-handler: boolean
mitre-attack:
additional-tactics: [string]
additional-techniques: [string]
primary-tactic: string
primary-techniques: [string]
version: string
module-name: string
mute: string
mute-initiator: string
mute-update-time: string
name: string
next-steps: string
parent: string
parent-display-name: string
resource-name: string
security-marks:
canonical-name: string
marks: { string: string }
name: string
security-posture:
changed-policy: string
name: string
policy: string
policy-set: string
posture-deployment: string
posture-deployment-resource: string
revision-id: string
severity: string
state: string
vulnerability:
cve:
cvssv3:
attack-complexity: string
attack-vector: string
availability-impact: string
base-score: number
confidentiality-impact: string
integrity-impact: string
privileges-required: string
scope: string
user-interaction: string
exploitation-activity: string
id: string
impact: string
observed-in-the-wild: boolean
upstream-fix-available: boolean
zero-day: boolean
fixed-package:
cpe-uri: string
package-name: string
package-type: string
package-version: string
offending-package:
cpe-uri: string
package-name: string
package-type: string
package-version: string
security-bulletin:
bulletin-id: string
submission-time: string
suggested-upgrade-version: string
can be set completely with the following arguments which are assumed to be executed in the given order. Note how the cursor position is adjusted to the respective structures, allowing simple field names to be used most of the time.
-r .access caller-ip=sanctus
- Caller's IP address, such as "1.1.1.1".
-
caller-ip-geo region-code=kasd
- A CLDR.
-
.. method-name=eirmod
- The method that the service account called, e.g. "SetIamPolicy".
principal-email=dolores
- Associated email, such as "foo@google.com". The email address of the authenticated user or a service account acting on behalf of a third party principal making the request. For third party identity callers, the
principal_subject
field is populated instead of this field. For privacy reasons, the principal email address is sometimes redacted. For more information, see Caller identities in audit logs.
- Associated email, such as "foo@google.com". The email address of the authenticated user or a service account acting on behalf of a third party principal making the request. For third party identity callers, the
principal-subject=aliquyam
- A string that represents the principal_subject that is associated with the identity. Unlike
principal_email
,principal_subject
supports principals that aren't associated with email addresses, such as third party principals. For most identities, the format isprincipal://iam.googleapis.com/{identity pool name}/subject/{subject}
. Some GKE identities, such as GKE_WORKLOAD, FREEFORM, and GKE_HUB_WORKLOAD, still use the legacy formatserviceAccount:{identity pool name}[{subject}]
.
- A string that represents the principal_subject that is associated with the identity. Unlike
service-account-key-name=dolor
- The name of the service account key that was used to create or exchange credentials when authenticating the service account that made the request. This is a scheme-less URI full resource name. For example: "//iam.googleapis.com/projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}".
service-name=vero
- This is the API service that the service account made a call to, e.g. "iam.googleapis.com"
user-agent=ea
- The caller's user agent string associated with the finding.
user-agent-family=magna
- Type of user agent associated with the finding. For example, an operating system shell or an embedded or standalone application.
-
user-name=rebum.
- A string that represents a username. The username provided depends on the type of the finding and is likely not an IAM principal. For example, this can be a system username if the finding is related to a virtual machine, or it can be an application login username.
-
..application base-uri=amet
- The base URI that identifies the network location of the application in which the vulnerability was detected. For example,
http://example.com
.
- The base URI that identifies the network location of the application in which the vulnerability was detected. For example,
-
full-uri=sea
- The full URI with payload that can be used to reproduce the vulnerability. For example,
http://example.com?p=aMmYgI6H
.
- The full URI with payload that can be used to reproduce the vulnerability. For example,
-
..attack-exposure attack-exposure-result=sadipscing
- The resource name of the attack path simulation result that contains the details regarding this attack exposure score. Example: organizations/123/simulations/456/attackExposureResults/789
exposed-high-value-resources-count=17
- The number of high value resources that are exposed as a result of this finding.
exposed-low-value-resources-count=54
- The number of high value resources that are exposed as a result of this finding.
exposed-medium-value-resources-count=63
- The number of medium value resources that are exposed as a result of this finding.
latest-calculation-time=invidunt
- The most recent time the attack exposure was updated on this finding.
score=0.6434166192581234
- A number between 0 (inclusive) and infinity that represents how important this finding is to remediate. The higher the score, the more important it is to remediate.
-
state=diam
- What state this AttackExposure is in. This captures whether or not an attack exposure has been calculated or not.
-
..backup-disaster-recovery appliance=sanctus
- The name of the Backup and DR appliance that captures, moves, and manages the lifecycle of backup data. For example,
backup-server-57137
.
- The name of the Backup and DR appliance that captures, moves, and manages the lifecycle of backup data. For example,
applications=sed
- The names of Backup and DR applications. An application is a VM, database, or file system on a managed host monitored by a backup and recovery appliance. For example,
centos7-01-vol00
,centos7-01-vol01
,centos7-01-vol02
. - Each invocation of this argument appends the given value to the array.
- The names of Backup and DR applications. An application is a VM, database, or file system on a managed host monitored by a backup and recovery appliance. For example,
backup-create-time=eos
- The timestamp at which the Backup and DR backup was created.
backup-template=sit
- The name of a Backup and DR template which comprises one or more backup policies. See the Backup and DR documentation for more information. For example,
snap-ov
.
- The name of a Backup and DR template which comprises one or more backup policies. See the Backup and DR documentation for more information. For example,
backup-type=et
- The backup type of the Backup and DR image. For example,
Snapshot
,Remote Snapshot
,OnVault
.
- The backup type of the Backup and DR image. For example,
host=ea
- The name of a Backup and DR host, which is managed by the backup and recovery appliance and known to the management console. The host can be of type Generic (for example, Compute Engine, SQL Server, Oracle DB, SMB file system, etc.), vCenter, or an ESX server. See the Backup and DR documentation on hosts for more information. For example,
centos7-01
.
- The name of a Backup and DR host, which is managed by the backup and recovery appliance and known to the management console. The host can be of type Generic (for example, Compute Engine, SQL Server, Oracle DB, SMB file system, etc.), vCenter, or an ESX server. See the Backup and DR documentation on hosts for more information. For example,
policies=dolor
- The names of Backup and DR policies that are associated with a template and that define when to run a backup, how frequently to run a backup, and how long to retain the backup image. For example,
onvaults
. - Each invocation of this argument appends the given value to the array.
- The names of Backup and DR policies that are associated with a template and that define when to run a backup, how frequently to run a backup, and how long to retain the backup image. For example,
policy-options=sadipscing
- The names of Backup and DR advanced policy options of a policy applying to an application. See the Backup and DR documentation on policy options. For example,
skipofflineappsincongrp, nounmap
. - Each invocation of this argument appends the given value to the array.
- The names of Backup and DR advanced policy options of a policy applying to an application. See the Backup and DR documentation on policy options. For example,
profile=diam
- The name of the Backup and DR resource profile that specifies the storage media for backups of application and VM data. See the Backup and DR documentation on profiles. For example,
GCP
.
- The name of the Backup and DR resource profile that specifies the storage media for backups of application and VM data. See the Backup and DR documentation on profiles. For example,
-
storage-pool=at
- The name of the Backup and DR storage pool that the backup and recovery appliance is storing data in. The storage pool could be of type Cloud, Primary, Snapshot, or OnVault. See the Backup and DR documentation on storage pools. For example,
DiskPoolOne
.
- The name of the Backup and DR storage pool that the backup and recovery appliance is storing data in. The storage pool could be of type Cloud, Primary, Snapshot, or OnVault. See the Backup and DR documentation on storage pools. For example,
-
.. canonical-name=at
- The canonical name of the finding. It's either "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}", "folders/{folder_id}/sources/{source_id}/findings/{finding_id}" or "projects/{project_number}/sources/{source_id}/findings/{finding_id}", depending on the closest CRM ancestor of the resource associated with the finding.
category=kasd
- The additional taxonomy group within findings from a given source. This field is immutable after creation time. Example: "XSS_FLASH_INJECTION"
cloud-dlp-data-profile data-profile=magna
- Name of the data profile, for example,
projects/123/locations/europe/tableProfiles/8383929
.
- Name of the data profile, for example,
-
parent-type=amet.
- The resource hierarchy level at which the data profile was generated.
-
..cloud-dlp-inspection full-scan=true
- Whether Cloud DLP scanned the complete resource or a sampled subset.
info-type=eos
- The type of information (or infoType) found, for example,
EMAIL_ADDRESS
orSTREET_ADDRESS
.
- The type of information (or infoType) found, for example,
info-type-count=-34
- The number of times Cloud DLP found this infoType within this job and resource.
-
inspect-job=tempor
- Name of the inspection job, for example,
projects/123/locations/europe/dlpJobs/i-8383929
.
- Name of the inspection job, for example,
-
.. create-time=stet
- The time at which the finding was created in Security Command Center.
database display-name=accusam
- The human-readable name of the database that the user connected to.
grantees=et
- The target usernames, roles, or groups of an SQL privilege grant, which is not an IAM policy change.
- Each invocation of this argument appends the given value to the array.
name=dolor
- Some database resources may not have the full resource name populated because these resource types are not yet supported by Cloud Asset Inventory (e.g. Cloud SQL databases). In these cases only the display name will be provided. The full resource name of the database that the user connected to, if it is supported by Cloud Asset Inventory.
query=diam
- The SQL statement that is associated with the database access.
user-name=elitr
- The username used to connect to the database. The username might not be an IAM principal and does not have a set format.
-
version=sea
- The version of the database, for example, POSTGRES_14. See the complete list.
-
.. description=vero
- Contains more details about the finding.
event-time=et
- The time the finding was first detected. If an existing finding is updated, then this is the time the update occurred. For example, if the finding represents an open firewall, this property captures the time the detector believes the firewall became open. The accuracy is determined by the detector. If the finding is later resolved, then this time reflects when the finding was resolved. This must not be set to a value greater than the current timestamp.
-
exfiltration total-exfiltrated-bytes=lorem
- Total exfiltrated bytes processed for the entire job.
-
.. external-uri=sit
- The URI that, if available, points to a web page outside of Security Command Center where additional information about the finding can be found. This field is guaranteed to be either empty or a well formed URL.
finding-class=lorem
- The class of the finding.
indicator domains=amet.
- List of domains associated to the Finding.
- Each invocation of this argument appends the given value to the array.
ip-addresses=diam
- The list of IP addresses that are associated with the finding.
- Each invocation of this argument appends the given value to the array.
-
uris=diam
- The list of URIs associated to the Findings.
- Each invocation of this argument appends the given value to the array.
-
..kernel-rootkit name=et
- Rootkit name, when available.
unexpected-code-modification=true
- True if unexpected modifications of kernel code memory are present.
unexpected-ftrace-handler=false
- True if
ftrace
points are present with callbacks pointing to regions that are not in the expected kernel or module code range.
- True if
unexpected-interrupt-handler=true
- True if interrupt handlers that are are not in the expected kernel or module code regions are present.
unexpected-kernel-code-pages=true
- True if kernel code pages that are not in the expected kernel or module code regions are present.
unexpected-kprobe-handler=true
- True if
kprobe
points are present with callbacks pointing to regions that are not in the expected kernel or module code range.
- True if
unexpected-processes-in-runqueue=false
- True if unexpected processes in the scheduler run queue are present. Such processes are in the run queue, but not in the process task list.
unexpected-read-only-data-modification=false
- True if unexpected modifications of kernel read-only data memory are present.
-
unexpected-system-call-handler=false
- True if system call handlers that are are not in the expected kernel or module code regions are present.
-
..mitre-attack additional-tactics=et
- Additional MITRE ATT&CK tactics related to this finding, if any.
- Each invocation of this argument appends the given value to the array.
additional-techniques=est
- Additional MITRE ATT&CK techniques related to this finding, if any, along with any of their respective parent techniques.
- Each invocation of this argument appends the given value to the array.
primary-tactic=stet
- The MITRE ATT&CK tactic most closely represented by this finding, if any.
primary-techniques=dolor
- The MITRE ATT&CK technique most closely represented by this finding, if any. primary_techniques is a repeated field because there are multiple levels of MITRE ATT&CK techniques. If the technique most closely represented by this finding is a sub-technique (e.g.
SCANNING_IP_BLOCKS
), both the sub-technique and its parent technique(s) will be listed (e.g.SCANNING_IP_BLOCKS
,ACTIVE_SCANNING
). - Each invocation of this argument appends the given value to the array.
- The MITRE ATT&CK technique most closely represented by this finding, if any. primary_techniques is a repeated field because there are multiple levels of MITRE ATT&CK techniques. If the technique most closely represented by this finding is a sub-technique (e.g.
-
version=et
- The MITRE ATT&CK version referenced by the above fields. E.g. "8".
-
.. module-name=labore
- Unique identifier of the module which generated the finding. Example: folders/598186756061/securityHealthAnalyticsSettings/customModules/56799441161885
mute=labore
- Indicates the mute state of a finding (either muted, unmuted or undefined). Unlike other attributes of a finding, a finding provider shouldn't set the value of mute.
mute-initiator=et
- Records additional information about the mute operation, for example, the mute configuration that muted the finding and the user who muted the finding.
mute-update-time=aliquyam
- Output only. The most recent time this finding was muted or unmuted.
name=ut
- The relative resource name of the finding. Example: "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}", "folders/{folder_id}/sources/{source_id}/findings/{finding_id}", "projects/{project_id}/sources/{source_id}/findings/{finding_id}".
next-steps=amet.
- Steps to address the finding.
parent=gubergren
- The relative resource name of the source the finding belongs to. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name This field is immutable after creation time. For example: "organizations/{organization_id}/sources/{source_id}"
parent-display-name=est
- Output only. The human readable display name of the finding source such as "Event Threat Detection" or "Security Health Analytics".
resource-name=rebum.
- For findings on Google Cloud resources, the full resource name of the Google Cloud resource this finding is for. See: https://cloud.google.com/apis/design/resource_names#full_resource_name When the finding is for a non-Google Cloud resource, the resourceName can be a customer or partner defined string. This field is immutable after creation time.
security-marks canonical-name=consetetur
- The canonical name of the marks. Examples: "organizations/{organization_id}/assets/{asset_id}/securityMarks" "folders/{folder_id}/assets/{asset_id}/securityMarks" "projects/{project_number}/assets/{asset_id}/securityMarks" "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}/securityMarks" "folders/{folder_id}/sources/{source_id}/findings/{finding_id}/securityMarks" "projects/{project_number}/sources/{source_id}/findings/{finding_id}/securityMarks"
marks=key=erat
- Mutable user specified security marks belonging to the parent resource. Constraints are as follows: * Keys and values are treated as case insensitive * Keys must be between 1 - 256 characters (inclusive) * Keys must be letters, numbers, underscores, or dashes * Values have leading and trailing whitespace trimmed, remaining characters must be between 1 - 4096 characters (inclusive)
- the value will be associated with the given
key
-
name=dolor
- The relative resource name of the SecurityMarks. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name Examples: "organizations/{organization_id}/assets/{asset_id}/securityMarks" "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}/securityMarks".
-
..security-posture changed-policy=amet.
- The name of the updated policy, for example,
projects/{project_id}/policies/{constraint_name}
.
- The name of the updated policy, for example,
name=kasd
- Name of the posture, for example,
CIS-Posture
.
- Name of the posture, for example,
policy=eirmod
- The ID of the updated policy, for example,
compute-policy-1
.
- The ID of the updated policy, for example,
policy-set=amet.
- The name of the updated policyset, for example,
cis-policyset
.
- The name of the updated policyset, for example,
posture-deployment=takimata
- The name of the posture deployment, for example,
organizations/{org_id}/posturedeployments/{posture_deployment_id}
.
- The name of the posture deployment, for example,
posture-deployment-resource=amet.
- The project, folder, or organization on which the posture is deployed, for example,
projects/{project_number}
.
- The project, folder, or organization on which the posture is deployed, for example,
-
revision-id=et
- The version of the posture, for example,
c7cfa2a8
.
- The version of the posture, for example,
-
.. severity=labore
- The severity of the finding. This field is managed by the source that writes the finding.
state=sed
- The state of the finding.
vulnerability.cve.cvssv3 attack-complexity=sit
- This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.
attack-vector=sit
- Base Metrics Represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments. This metric reflects the context by which vulnerability exploitation is possible.
availability-impact=invidunt
- This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.
base-score=0.062468952945213485
- The base score is a function of the base metric scores.
confidentiality-impact=voluptua.
- This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.
integrity-impact=justo
- This metric measures the impact to integrity of a successfully exploited vulnerability.
privileges-required=amet.
- This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.
scope=aliquyam
- The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope.
-
user-interaction=et
- This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component.
-
.. exploitation-activity=gubergren
- The exploitation activity of the vulnerability in the wild.
id=sed
- The unique identifier for the vulnerability. e.g. CVE-2021-34527
impact=no
- The potential impact of the vulnerability if it was to be exploited.
observed-in-the-wild=false
- Whether or not the vulnerability has been observed in the wild.
upstream-fix-available=false
- Whether upstream fix is available for the CVE.
-
zero-day=false
- Whether or not the vulnerability was zero day when the finding was published.
-
..fixed-package cpe-uri=at
- The CPE URI where the vulnerability was detected.
package-name=et
- The name of the package where the vulnerability was detected.
package-type=accusam
- Type of package, for example, os, maven, or go.
-
package-version=sit
- The version of the package.
-
..offending-package cpe-uri=voluptua.
- The CPE URI where the vulnerability was detected.
package-name=kasd
- The name of the package where the vulnerability was detected.
package-type=no
- Type of package, for example, os, maven, or go.
-
package-version=amet.
- The version of the package.
-
..security-bulletin bulletin-id=aliquyam
- ID of the bulletin corresponding to the vulnerability.
submission-time=accusam
- Submission time of this Security Bulletin.
suggested-upgrade-version=sanctus
- This represents a version that the cluster receiving this notification should be upgraded to, based on its current version. For example, 1.15.0
About Cursors
The cursor position is key to comfortably set complex nested structures. The following rules apply:
- The cursor position is always set relative to the current one, unless the field name starts with the
.
character. Fields can be nested such as in-r f.s.o
. - The cursor position is set relative to the top-level structure if it starts with
.
, e.g.-r .s.s
- You can also set nested fields without setting the cursor explicitly. For example, to set a value relative to the current cursor position, you would specify
-r struct.sub_struct=bar
. - You can move the cursor one level up by using
..
. Each additional.
moves it up one additional level. E.g....
would go three levels up.
Optional Output Flags
The method's return value a JSON encoded structure, which will be written to standard output by default.
- -o out
- out specifies the destination to which to write the server's result to.
It will be a JSON-encoded structure.
The destination may be
-
to indicate standard output, or a filepath that is to contain the received bytes. If unset, it defaults to standard output.
- out specifies the destination to which to write the server's result to.
It will be a JSON-encoded structure.
The destination may be
Optional Method Properties
You may set the following properties to further configure the call. Please note that -p
is followed by one
or more key-value-pairs, and is called like this -p k1=v1 k2=v2
even though the listing below repeats the
-p
for completeness.
- -p update-mask=string
- The FieldMask to use when updating the finding resource. This field should not be specified when creating a finding. When updating a finding, an empty mask is treated as updating all mutable fields and replacing source_properties. Individual source_properties can be added/updated by using "source_properties." in the field mask.
Optional General Properties
The following properties can configure any call, and are not specific to this method.
-
-p $-xgafv=string
- V1 error format.
-
-p access-token=string
- OAuth access token.
-
-p alt=string
- Data format for response.
-
-p callback=string
- JSONP
-
-p fields=string
- Selector specifying which fields to include in a partial response.
-
-p key=string
- API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
-
-p oauth-token=string
- OAuth 2.0 token for the current user.
-
-p pretty-print=boolean
- Returns response with indentations and line breaks.
-
-p quota-user=string
- Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
-
-p upload-type=string
- Legacy upload protocol for media (e.g. "media", "multipart").
-
-p upload-protocol=string
- Upload protocol for media (e.g. "raw", "multipart").