1<html><body> 2<style> 3 4body, h1, h2, h3, div, span, p, pre, a { 5 margin: 0; 6 padding: 0; 7 border: 0; 8 font-weight: inherit; 9 font-style: inherit; 10 font-size: 100%; 11 font-family: inherit; 12 vertical-align: baseline; 13} 14 15body { 16 font-size: 13px; 17 padding: 1em; 18} 19 20h1 { 21 font-size: 26px; 22 margin-bottom: 1em; 23} 24 25h2 { 26 font-size: 24px; 27 margin-bottom: 1em; 28} 29 30h3 { 31 font-size: 20px; 32 margin-bottom: 1em; 33 margin-top: 1em; 34} 35 36pre, code { 37 line-height: 1.5; 38 font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; 39} 40 41pre { 42 margin-top: 0.5em; 43} 44 45h1, h2, h3, p { 46 font-family: Arial, sans serif; 47} 48 49h1, h2, h3 { 50 border-bottom: solid #CCC 1px; 51} 52 53.toc_element { 54 margin-top: 0.5em; 55} 56 57.firstline { 58 margin-left: 2 em; 59} 60 61.method { 62 margin-top: 1em; 63 border: solid 1px #CCC; 64 padding: 1em; 65 background: #EEE; 66} 67 68.details { 69 font-weight: bold; 70 font-size: 14px; 71} 72 73</style> 74 75<h1><a href="securitycenter_v1.html">Security Command Center API</a> . <a href="securitycenter_v1.organizations.html">organizations</a> . <a href="securitycenter_v1.organizations.sources.html">sources</a> . <a href="securitycenter_v1.organizations.sources.findings.html">findings</a></h1> 76<h2>Instance Methods</h2> 77<p class="toc_element"> 78 <code><a href="securitycenter_v1.organizations.sources.findings.externalSystems.html">externalSystems()</a></code> 79</p> 80<p class="firstline">Returns the externalSystems Resource.</p> 81 82<p class="toc_element"> 83 <code><a href="#close">close()</a></code></p> 84<p class="firstline">Close httplib2 connections.</p> 85<p class="toc_element"> 86 <code><a href="#create">create(parent, body=None, findingId=None, x__xgafv=None)</a></code></p> 87<p class="firstline">Creates a finding. The corresponding source must exist for finding creation to succeed.</p> 88<p class="toc_element"> 89 <code><a href="#group">group(parent, body=None, x__xgafv=None)</a></code></p> 90<p class="firstline">Filters an organization or source's findings and groups them by their specified properties. To group across all sources provide a `-` as the source id. Example: /v1/organizations/{organization_id}/sources/-/findings, /v1/folders/{folder_id}/sources/-/findings, /v1/projects/{project_id}/sources/-/findings</p> 91<p class="toc_element"> 92 <code><a href="#group_next">group_next(previous_request, previous_response)</a></code></p> 93<p class="firstline">Retrieves the next page of results.</p> 94<p class="toc_element"> 95 <code><a href="#list">list(parent, compareDuration=None, fieldMask=None, filter=None, orderBy=None, pageSize=None, pageToken=None, readTime=None, x__xgafv=None)</a></code></p> 96<p class="firstline">Lists an organization or source's findings. To list across all sources provide a `-` as the source id. Example: /v1/organizations/{organization_id}/sources/-/findings</p> 97<p class="toc_element"> 98 <code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p> 99<p class="firstline">Retrieves the next page of results.</p> 100<p class="toc_element"> 101 <code><a href="#patch">patch(name, body=None, updateMask=None, x__xgafv=None)</a></code></p> 102<p class="firstline">Creates or updates a finding. The corresponding source must exist for a finding creation to succeed.</p> 103<p class="toc_element"> 104 <code><a href="#setMute">setMute(name, body=None, x__xgafv=None)</a></code></p> 105<p class="firstline">Updates the mute state of a finding.</p> 106<p class="toc_element"> 107 <code><a href="#setState">setState(name, body=None, x__xgafv=None)</a></code></p> 108<p class="firstline">Updates the state of a finding.</p> 109<p class="toc_element"> 110 <code><a href="#updateSecurityMarks">updateSecurityMarks(name, body=None, startTime=None, updateMask=None, x__xgafv=None)</a></code></p> 111<p class="firstline">Updates security marks.</p> 112<h3>Method Details</h3> 113<div class="method"> 114 <code class="details" id="close">close()</code> 115 <pre>Close httplib2 connections.</pre> 116</div> 117 118<div class="method"> 119 <code class="details" id="create">create(parent, body=None, findingId=None, x__xgafv=None)</code> 120 <pre>Creates a finding. The corresponding source must exist for finding creation to succeed. 121 122Args: 123 parent: string, Required. Resource name of the new finding's parent. Its format should be "organizations/[organization_id]/sources/[source_id]". (required) 124 body: object, The request body. 125 The object takes the form of: 126 127{ # Security Command Center finding. A finding is a record of assessment data like security, risk, health, or privacy, that is ingested into Security Command Center for presentation, notification, analysis, policy testing, and enforcement. For example, a cross-site scripting (XSS) vulnerability in an App Engine application is a finding. 128 "access": { # Represents an access event. # Access details associated to the Finding, such as more information on the caller, which method was accessed, from where, etc. 129 "callerIp": "A String", # Caller's IP address, such as "1.1.1.1". 130 "callerIpGeo": { # Represents a geographical location for a given access. # The caller IP's geolocation, which identifies where the call came from. 131 "regionCode": "A String", # A CLDR. 132 }, 133 "methodName": "A String", # The method that the service account called, e.g. "SetIamPolicy". 134 "principalEmail": "A String", # Associated email, such as "foo@google.com". 135 "serviceName": "A String", # This is the API service that the service account made a call to, e.g. "iam.googleapis.com" 136 "userAgentFamily": "A String", # What kind of user agent is associated, e.g. operating system shells, embedded or stand-alone applications, etc. 137 }, 138 "canonicalName": "A String", # The canonical name of the finding. It's either "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}", "folders/{folder_id}/sources/{source_id}/findings/{finding_id}" or "projects/{project_number}/sources/{source_id}/findings/{finding_id}", depending on the closest CRM ancestor of the resource associated with the finding. 139 "category": "A String", # The additional taxonomy group within findings from a given source. This field is immutable after creation time. Example: "XSS_FLASH_INJECTION" 140 "createTime": "A String", # The time at which the finding was created in Security Command Center. 141 "eventTime": "A String", # The time at which the event took place, or when an update to the finding occurred. For example, if the finding represents an open firewall it would capture the time the detector believes the firewall became open. The accuracy is determined by the detector. If the finding were to be resolved afterward, this time would reflect when the finding was resolved. Must not be set to a value greater than the current timestamp. 142 "externalSystems": { # Output only. Third party SIEM/SOAR fields within SCC, contains external system information and external system finding fields. 143 "a_key": { # Representation of third party SIEM/SOAR fields within SCC. 144 "assignees": [ # References primary/secondary etc assignees in the external system. 145 "A String", 146 ], 147 "externalSystemUpdateTime": "A String", # The most recent time when the corresponding finding's ticket/tracker was updated in the external system. 148 "externalUid": "A String", # Identifier that's used to track the given finding in the external system. 149 "name": "A String", # External System Name e.g. jira, demisto, etc. e.g.: organizations/1234/sources/5678/findings/123456/externalSystems/jira folders/1234/sources/5678/findings/123456/externalSystems/jira projects/1234/sources/5678/findings/123456/externalSystems/jira 150 "status": "A String", # Most recent status of the corresponding finding's ticket/tracker in the external system. 151 }, 152 }, 153 "externalUri": "A String", # The URI that, if available, points to a web page outside of Security Command Center where additional information about the finding can be found. This field is guaranteed to be either empty or a well formed URL. 154 "findingClass": "A String", # The class of the finding. 155 "indicator": { # Represents what's commonly known as an Indicator of compromise (IoC) in computer forensics. This is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Reference: https://en.wikipedia.org/wiki/Indicator_of_compromise # Represents what's commonly known as an Indicator of compromise (IoC) in computer forensics. This is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Reference: https://en.wikipedia.org/wiki/Indicator_of_compromise 156 "domains": [ # List of domains associated to the Finding. 157 "A String", 158 ], 159 "ipAddresses": [ # List of ip addresses associated to the Finding. 160 "A String", 161 ], 162 }, 163 "mitreAttack": { # MITRE ATT&CK tactics and techniques related to this finding. See: https://attack.mitre.org # MITRE ATT&CK tactics and techniques related to this finding. See: https://attack.mitre.org 164 "additionalTactics": [ # Additional MITRE ATT&CK tactics related to this finding, if any. 165 "A String", 166 ], 167 "additionalTechniques": [ # Additional MITRE ATT&CK techniques related to this finding, if any, along with any of their respective parent techniques. 168 "A String", 169 ], 170 "primaryTactic": "A String", # The MITRE ATT&CK tactic most closely represented by this finding, if any. 171 "primaryTechniques": [ # The MITRE ATT&CK technique most closely represented by this finding, if any. primary_techniques is a repeated field because there are multiple levels of MITRE ATT&CK techniques. If the technique most closely represented by this finding is a sub-technique (e.g. SCANNING_IP_BLOCKS), both the sub-technique and its parent technique(s) will be listed (e.g. SCANNING_IP_BLOCKS, ACTIVE_SCANNING). 172 "A String", 173 ], 174 "version": "A String", # The MITRE ATT&CK version referenced by the above fields. E.g. "8". 175 }, 176 "mute": "A String", # Indicates the mute state of a finding (either unspecified, muted, unmuted or undefined). 177 "muteInitiator": "A String", # First known as mute_annotation. Records additional information about the mute operation e.g. mute config that muted the finding, user who muted the finding, etc. 178 "muteUpdateTime": "A String", # Output only. The most recent time this finding was muted or unmuted. 179 "name": "A String", # The relative resource name of this finding. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name Example: "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}" 180 "parent": "A String", # The relative resource name of the source the finding belongs to. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name This field is immutable after creation time. For example: "organizations/{organization_id}/sources/{source_id}" 181 "resourceName": "A String", # For findings on Google Cloud resources, the full resource name of the Google Cloud resource this finding is for. See: https://cloud.google.com/apis/design/resource_names#full_resource_name When the finding is for a non-Google Cloud resource, the resourceName can be a customer or partner defined string. This field is immutable after creation time. 182 "securityMarks": { # User specified security marks that are attached to the parent Security Command Center resource. Security marks are scoped within a Security Command Center organization -- they can be modified and viewed by all users who have proper permissions on the organization. # Output only. User specified security marks. These marks are entirely managed by the user and come from the SecurityMarks resource that belongs to the finding. 183 "canonicalName": "A String", # The canonical name of the marks. Examples: "organizations/{organization_id}/assets/{asset_id}/securityMarks" "folders/{folder_id}/assets/{asset_id}/securityMarks" "projects/{project_number}/assets/{asset_id}/securityMarks" "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}/securityMarks" "folders/{folder_id}/sources/{source_id}/findings/{finding_id}/securityMarks" "projects/{project_number}/sources/{source_id}/findings/{finding_id}/securityMarks" 184 "marks": { # Mutable user specified security marks belonging to the parent resource. Constraints are as follows: * Keys and values are treated as case insensitive * Keys must be between 1 - 256 characters (inclusive) * Keys must be letters, numbers, underscores, or dashes * Values have leading and trailing whitespace trimmed, remaining characters must be between 1 - 4096 characters (inclusive) 185 "a_key": "A String", 186 }, 187 "name": "A String", # The relative resource name of the SecurityMarks. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name Examples: "organizations/{organization_id}/assets/{asset_id}/securityMarks" "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}/securityMarks". 188 }, 189 "severity": "A String", # The severity of the finding. This field is managed by the source that writes the finding. 190 "sourceProperties": { # Source specific properties. These properties are managed by the source that writes the finding. The key names in the source_properties map must be between 1 and 255 characters, and must start with a letter and contain alphanumeric characters or underscores only. 191 "a_key": "", 192 }, 193 "state": "A String", # The state of the finding. 194 "vulnerability": { # Refers to common vulnerability fields e.g. cve, cvss, cwe etc. # Represents vulnerability specific fields like cve, cvss scores etc. CVE stands for Common Vulnerabilities and Exposures (https://cve.mitre.org/about/) 195 "cve": { # CVE stands for Common Vulnerabilities and Exposures. More information: https://cve.mitre.org # CVE stands for Common Vulnerabilities and Exposures (https://cve.mitre.org/about/) 196 "cvssv3": { # Common Vulnerability Scoring System version 3. # Describe Common Vulnerability Scoring System specified at https://www.first.org/cvss/v3.1/specification-document 197 "attackComplexity": "A String", # This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. 198 "attackVector": "A String", # Base Metrics Represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments. This metric reflects the context by which vulnerability exploitation is possible. 199 "availabilityImpact": "A String", # This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. 200 "baseScore": 3.14, # The base score is a function of the base metric scores. 201 "confidentialityImpact": "A String", # This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. 202 "integrityImpact": "A String", # This metric measures the impact to integrity of a successfully exploited vulnerability. 203 "privilegesRequired": "A String", # This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. 204 "scope": "A String", # The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope. 205 "userInteraction": "A String", # This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component. 206 }, 207 "id": "A String", # The unique identifier for the vulnerability. e.g. CVE-2021-34527 208 "references": [ # Additional information about the CVE. e.g. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527 209 { # Additional Links 210 "source": "A String", # Source of the reference e.g. NVD 211 "uri": "A String", # Uri for the mentioned source e.g. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527. 212 }, 213 ], 214 }, 215 }, 216} 217 218 findingId: string, Required. Unique identifier provided by the client within the parent scope. It must be alphanumeric and less than or equal to 32 characters and greater than 0 characters in length. 219 x__xgafv: string, V1 error format. 220 Allowed values 221 1 - v1 error format 222 2 - v2 error format 223 224Returns: 225 An object of the form: 226 227 { # Security Command Center finding. A finding is a record of assessment data like security, risk, health, or privacy, that is ingested into Security Command Center for presentation, notification, analysis, policy testing, and enforcement. For example, a cross-site scripting (XSS) vulnerability in an App Engine application is a finding. 228 "access": { # Represents an access event. # Access details associated to the Finding, such as more information on the caller, which method was accessed, from where, etc. 229 "callerIp": "A String", # Caller's IP address, such as "1.1.1.1". 230 "callerIpGeo": { # Represents a geographical location for a given access. # The caller IP's geolocation, which identifies where the call came from. 231 "regionCode": "A String", # A CLDR. 232 }, 233 "methodName": "A String", # The method that the service account called, e.g. "SetIamPolicy". 234 "principalEmail": "A String", # Associated email, such as "foo@google.com". 235 "serviceName": "A String", # This is the API service that the service account made a call to, e.g. "iam.googleapis.com" 236 "userAgentFamily": "A String", # What kind of user agent is associated, e.g. operating system shells, embedded or stand-alone applications, etc. 237 }, 238 "canonicalName": "A String", # The canonical name of the finding. It's either "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}", "folders/{folder_id}/sources/{source_id}/findings/{finding_id}" or "projects/{project_number}/sources/{source_id}/findings/{finding_id}", depending on the closest CRM ancestor of the resource associated with the finding. 239 "category": "A String", # The additional taxonomy group within findings from a given source. This field is immutable after creation time. Example: "XSS_FLASH_INJECTION" 240 "createTime": "A String", # The time at which the finding was created in Security Command Center. 241 "eventTime": "A String", # The time at which the event took place, or when an update to the finding occurred. For example, if the finding represents an open firewall it would capture the time the detector believes the firewall became open. The accuracy is determined by the detector. If the finding were to be resolved afterward, this time would reflect when the finding was resolved. Must not be set to a value greater than the current timestamp. 242 "externalSystems": { # Output only. Third party SIEM/SOAR fields within SCC, contains external system information and external system finding fields. 243 "a_key": { # Representation of third party SIEM/SOAR fields within SCC. 244 "assignees": [ # References primary/secondary etc assignees in the external system. 245 "A String", 246 ], 247 "externalSystemUpdateTime": "A String", # The most recent time when the corresponding finding's ticket/tracker was updated in the external system. 248 "externalUid": "A String", # Identifier that's used to track the given finding in the external system. 249 "name": "A String", # External System Name e.g. jira, demisto, etc. e.g.: organizations/1234/sources/5678/findings/123456/externalSystems/jira folders/1234/sources/5678/findings/123456/externalSystems/jira projects/1234/sources/5678/findings/123456/externalSystems/jira 250 "status": "A String", # Most recent status of the corresponding finding's ticket/tracker in the external system. 251 }, 252 }, 253 "externalUri": "A String", # The URI that, if available, points to a web page outside of Security Command Center where additional information about the finding can be found. This field is guaranteed to be either empty or a well formed URL. 254 "findingClass": "A String", # The class of the finding. 255 "indicator": { # Represents what's commonly known as an Indicator of compromise (IoC) in computer forensics. This is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Reference: https://en.wikipedia.org/wiki/Indicator_of_compromise # Represents what's commonly known as an Indicator of compromise (IoC) in computer forensics. This is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Reference: https://en.wikipedia.org/wiki/Indicator_of_compromise 256 "domains": [ # List of domains associated to the Finding. 257 "A String", 258 ], 259 "ipAddresses": [ # List of ip addresses associated to the Finding. 260 "A String", 261 ], 262 }, 263 "mitreAttack": { # MITRE ATT&CK tactics and techniques related to this finding. See: https://attack.mitre.org # MITRE ATT&CK tactics and techniques related to this finding. See: https://attack.mitre.org 264 "additionalTactics": [ # Additional MITRE ATT&CK tactics related to this finding, if any. 265 "A String", 266 ], 267 "additionalTechniques": [ # Additional MITRE ATT&CK techniques related to this finding, if any, along with any of their respective parent techniques. 268 "A String", 269 ], 270 "primaryTactic": "A String", # The MITRE ATT&CK tactic most closely represented by this finding, if any. 271 "primaryTechniques": [ # The MITRE ATT&CK technique most closely represented by this finding, if any. primary_techniques is a repeated field because there are multiple levels of MITRE ATT&CK techniques. If the technique most closely represented by this finding is a sub-technique (e.g. SCANNING_IP_BLOCKS), both the sub-technique and its parent technique(s) will be listed (e.g. SCANNING_IP_BLOCKS, ACTIVE_SCANNING). 272 "A String", 273 ], 274 "version": "A String", # The MITRE ATT&CK version referenced by the above fields. E.g. "8". 275 }, 276 "mute": "A String", # Indicates the mute state of a finding (either unspecified, muted, unmuted or undefined). 277 "muteInitiator": "A String", # First known as mute_annotation. Records additional information about the mute operation e.g. mute config that muted the finding, user who muted the finding, etc. 278 "muteUpdateTime": "A String", # Output only. The most recent time this finding was muted or unmuted. 279 "name": "A String", # The relative resource name of this finding. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name Example: "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}" 280 "parent": "A String", # The relative resource name of the source the finding belongs to. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name This field is immutable after creation time. For example: "organizations/{organization_id}/sources/{source_id}" 281 "resourceName": "A String", # For findings on Google Cloud resources, the full resource name of the Google Cloud resource this finding is for. See: https://cloud.google.com/apis/design/resource_names#full_resource_name When the finding is for a non-Google Cloud resource, the resourceName can be a customer or partner defined string. This field is immutable after creation time. 282 "securityMarks": { # User specified security marks that are attached to the parent Security Command Center resource. Security marks are scoped within a Security Command Center organization -- they can be modified and viewed by all users who have proper permissions on the organization. # Output only. User specified security marks. These marks are entirely managed by the user and come from the SecurityMarks resource that belongs to the finding. 283 "canonicalName": "A String", # The canonical name of the marks. Examples: "organizations/{organization_id}/assets/{asset_id}/securityMarks" "folders/{folder_id}/assets/{asset_id}/securityMarks" "projects/{project_number}/assets/{asset_id}/securityMarks" "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}/securityMarks" "folders/{folder_id}/sources/{source_id}/findings/{finding_id}/securityMarks" "projects/{project_number}/sources/{source_id}/findings/{finding_id}/securityMarks" 284 "marks": { # Mutable user specified security marks belonging to the parent resource. Constraints are as follows: * Keys and values are treated as case insensitive * Keys must be between 1 - 256 characters (inclusive) * Keys must be letters, numbers, underscores, or dashes * Values have leading and trailing whitespace trimmed, remaining characters must be between 1 - 4096 characters (inclusive) 285 "a_key": "A String", 286 }, 287 "name": "A String", # The relative resource name of the SecurityMarks. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name Examples: "organizations/{organization_id}/assets/{asset_id}/securityMarks" "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}/securityMarks". 288 }, 289 "severity": "A String", # The severity of the finding. This field is managed by the source that writes the finding. 290 "sourceProperties": { # Source specific properties. These properties are managed by the source that writes the finding. The key names in the source_properties map must be between 1 and 255 characters, and must start with a letter and contain alphanumeric characters or underscores only. 291 "a_key": "", 292 }, 293 "state": "A String", # The state of the finding. 294 "vulnerability": { # Refers to common vulnerability fields e.g. cve, cvss, cwe etc. # Represents vulnerability specific fields like cve, cvss scores etc. CVE stands for Common Vulnerabilities and Exposures (https://cve.mitre.org/about/) 295 "cve": { # CVE stands for Common Vulnerabilities and Exposures. More information: https://cve.mitre.org # CVE stands for Common Vulnerabilities and Exposures (https://cve.mitre.org/about/) 296 "cvssv3": { # Common Vulnerability Scoring System version 3. # Describe Common Vulnerability Scoring System specified at https://www.first.org/cvss/v3.1/specification-document 297 "attackComplexity": "A String", # This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. 298 "attackVector": "A String", # Base Metrics Represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments. This metric reflects the context by which vulnerability exploitation is possible. 299 "availabilityImpact": "A String", # This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. 300 "baseScore": 3.14, # The base score is a function of the base metric scores. 301 "confidentialityImpact": "A String", # This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. 302 "integrityImpact": "A String", # This metric measures the impact to integrity of a successfully exploited vulnerability. 303 "privilegesRequired": "A String", # This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. 304 "scope": "A String", # The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope. 305 "userInteraction": "A String", # This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component. 306 }, 307 "id": "A String", # The unique identifier for the vulnerability. e.g. CVE-2021-34527 308 "references": [ # Additional information about the CVE. e.g. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527 309 { # Additional Links 310 "source": "A String", # Source of the reference e.g. NVD 311 "uri": "A String", # Uri for the mentioned source e.g. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527. 312 }, 313 ], 314 }, 315 }, 316}</pre> 317</div> 318 319<div class="method"> 320 <code class="details" id="group">group(parent, body=None, x__xgafv=None)</code> 321 <pre>Filters an organization or source's findings and groups them by their specified properties. To group across all sources provide a `-` as the source id. Example: /v1/organizations/{organization_id}/sources/-/findings, /v1/folders/{folder_id}/sources/-/findings, /v1/projects/{project_id}/sources/-/findings 322 323Args: 324 parent: string, Required. Name of the source to groupBy. Its format is "organizations/[organization_id]/sources/[source_id]", folders/[folder_id]/sources/[source_id], or projects/[project_id]/sources/[source_id]. To groupBy across all sources provide a source_id of `-`. For example: organizations/{organization_id}/sources/-, folders/{folder_id}/sources/-, or projects/{project_id}/sources/- (required) 325 body: object, The request body. 326 The object takes the form of: 327 328{ # Request message for grouping by findings. 329 "compareDuration": "A String", # When compare_duration is set, the GroupResult's "state_change" attribute is updated to indicate whether the finding had its state changed, the finding's state remained unchanged, or if the finding was added during the compare_duration period of time that precedes the read_time. This is the time between (read_time - compare_duration) and read_time. The state_change value is derived based on the presence and state of the finding at the two points in time. Intermediate state changes between the two times don't affect the result. For example, the results aren't affected if the finding is made inactive and then active again. Possible "state_change" values when compare_duration is specified: * "CHANGED": indicates that the finding was present and matched the given filter at the start of compare_duration, but changed its state at read_time. * "UNCHANGED": indicates that the finding was present and matched the given filter at the start of compare_duration and did not change state at read_time. * "ADDED": indicates that the finding did not match the given filter or was not present at the start of compare_duration, but was present at read_time. * "REMOVED": indicates that the finding was present and matched the filter at the start of compare_duration, but did not match the filter at read_time. If compare_duration is not specified, then the only possible state_change is "UNUSED", which will be the state_change set for all findings present at read_time. If this field is set then `state_change` must be a specified field in `group_by`. 330 "filter": "A String", # Expression that defines the filter to apply across findings. The expression is a list of one or more restrictions combined via logical operators `AND` and `OR`. Parentheses are supported, and `OR` has higher precedence than `AND`. Restrictions have the form ` ` and may have a `-` character in front of them to indicate negation. Examples include: * name * source_properties.a_property * security_marks.marks.marka The supported operators are: * `=` for all value types. * `>`, `<`, `>=`, `<=` for integer values. * `:`, meaning substring matching, for strings. The supported value types are: * string literals in quotes. * integer literals without quotes. * boolean literals `true` and `false` without quotes. The following field and operator combinations are supported: * name: `=` * parent: `=`, `:` * resource_name: `=`, `:` * state: `=`, `:` * category: `=`, `:` * external_uri: `=`, `:` * event_time: `=`, `>`, `<`, `>=`, `<=` Usage: This should be milliseconds since epoch or an RFC3339 string. Examples: `event_time = "2019-06-10T16:07:18-07:00"` `event_time = 1560208038000` * severity: `=`, `:` * workflow_state: `=`, `:` * security_marks.marks: `=`, `:` * source_properties: `=`, `:`, `>`, `<`, `>=`, `<=` For example, `source_properties.size = 100` is a valid filter string. Use a partial match on the empty string to filter based on a property existing: `source_properties.my_property : ""` Use a negated partial match on the empty string to filter based on a property not existing: `-source_properties.my_property : ""` * resource: * resource.name: `=`, `:` * resource.parent_name: `=`, `:` * resource.parent_display_name: `=`, `:` * resource.project_name: `=`, `:` * resource.project_display_name: `=`, `:` * resource.type: `=`, `:` 331 "groupBy": "A String", # Required. Expression that defines what assets fields to use for grouping (including `state_change`). The string value should follow SQL syntax: comma separated list of fields. For example: "parent,resource_name". The following fields are supported: * resource_name * category * state * parent * severity The following fields are supported when compare_duration is set: * state_change 332 "pageSize": 42, # The maximum number of results to return in a single response. Default is 10, minimum is 1, maximum is 1000. 333 "pageToken": "A String", # The value returned by the last `GroupFindingsResponse`; indicates that this is a continuation of a prior `GroupFindings` call, and that the system should return the next page of data. 334 "readTime": "A String", # Time used as a reference point when filtering findings. The filter is limited to findings existing at the supplied time and their values are those at that specific time. Absence of this field will default to the API's version of NOW. 335} 336 337 x__xgafv: string, V1 error format. 338 Allowed values 339 1 - v1 error format 340 2 - v2 error format 341 342Returns: 343 An object of the form: 344 345 { # Response message for group by findings. 346 "groupByResults": [ # Group results. There exists an element for each existing unique combination of property/values. The element contains a count for the number of times those specific property/values appear. 347 { # Result containing the properties and count of a groupBy request. 348 "count": "A String", # Total count of resources for the given properties. 349 "properties": { # Properties matching the groupBy fields in the request. 350 "a_key": "", 351 }, 352 }, 353 ], 354 "nextPageToken": "A String", # Token to retrieve the next page of results, or empty if there are no more results. 355 "readTime": "A String", # Time used for executing the groupBy request. 356 "totalSize": 42, # The total number of results matching the query. 357}</pre> 358</div> 359 360<div class="method"> 361 <code class="details" id="group_next">group_next(previous_request, previous_response)</code> 362 <pre>Retrieves the next page of results. 363 364Args: 365 previous_request: The request for the previous page. (required) 366 previous_response: The response from the request for the previous page. (required) 367 368Returns: 369 A request object that you can call 'execute()' on to request the next 370 page. Returns None if there are no more items in the collection. 371 </pre> 372</div> 373 374<div class="method"> 375 <code class="details" id="list">list(parent, compareDuration=None, fieldMask=None, filter=None, orderBy=None, pageSize=None, pageToken=None, readTime=None, x__xgafv=None)</code> 376 <pre>Lists an organization or source's findings. To list across all sources provide a `-` as the source id. Example: /v1/organizations/{organization_id}/sources/-/findings 377 378Args: 379 parent: string, Required. Name of the source the findings belong to. Its format is "organizations/[organization_id]/sources/[source_id], folders/[folder_id]/sources/[source_id], or projects/[project_id]/sources/[source_id]". To list across all sources provide a source_id of `-`. For example: organizations/{organization_id}/sources/-, folders/{folder_id}/sources/- or projects/{projects_id}/sources/- (required) 380 compareDuration: string, When compare_duration is set, the ListFindingsResult's "state_change" attribute is updated to indicate whether the finding had its state changed, the finding's state remained unchanged, or if the finding was added in any state during the compare_duration period of time that precedes the read_time. This is the time between (read_time - compare_duration) and read_time. The state_change value is derived based on the presence and state of the finding at the two points in time. Intermediate state changes between the two times don't affect the result. For example, the results aren't affected if the finding is made inactive and then active again. Possible "state_change" values when compare_duration is specified: * "CHANGED": indicates that the finding was present and matched the given filter at the start of compare_duration, but changed its state at read_time. * "UNCHANGED": indicates that the finding was present and matched the given filter at the start of compare_duration and did not change state at read_time. * "ADDED": indicates that the finding did not match the given filter or was not present at the start of compare_duration, but was present at read_time. * "REMOVED": indicates that the finding was present and matched the filter at the start of compare_duration, but did not match the filter at read_time. If compare_duration is not specified, then the only possible state_change is "UNUSED", which will be the state_change set for all findings present at read_time. 381 fieldMask: string, A field mask to specify the Finding fields to be listed in the response. An empty field mask will list all fields. 382 filter: string, Expression that defines the filter to apply across findings. The expression is a list of one or more restrictions combined via logical operators `AND` and `OR`. Parentheses are supported, and `OR` has higher precedence than `AND`. Restrictions have the form ` ` and may have a `-` character in front of them to indicate negation. Examples include: * name * source_properties.a_property * security_marks.marks.marka The supported operators are: * `=` for all value types. * `>`, `<`, `>=`, `<=` for integer values. * `:`, meaning substring matching, for strings. The supported value types are: * string literals in quotes. * integer literals without quotes. * boolean literals `true` and `false` without quotes. The following field and operator combinations are supported: * name: `=` * parent: `=`, `:` * resource_name: `=`, `:` * state: `=`, `:` * category: `=`, `:` * external_uri: `=`, `:` * event_time: `=`, `>`, `<`, `>=`, `<=` Usage: This should be milliseconds since epoch or an RFC3339 string. Examples: `event_time = "2019-06-10T16:07:18-07:00"` `event_time = 1560208038000` * severity: `=`, `:` * workflow_state: `=`, `:` * security_marks.marks: `=`, `:` * source_properties: `=`, `:`, `>`, `<`, `>=`, `<=` For example, `source_properties.size = 100` is a valid filter string. Use a partial match on the empty string to filter based on a property existing: `source_properties.my_property : ""` Use a negated partial match on the empty string to filter based on a property not existing: `-source_properties.my_property : ""` * resource: * resource.name: `=`, `:` * resource.parent_name: `=`, `:` * resource.parent_display_name: `=`, `:` * resource.project_name: `=`, `:` * resource.project_display_name: `=`, `:` * resource.type: `=`, `:` * resource.folders.resource_folder: `=`, `:` * resource.display_name: `=`, `:` 383 orderBy: string, Expression that defines what fields and order to use for sorting. The string value should follow SQL syntax: comma separated list of fields. For example: "name,resource_properties.a_property". The default sorting order is ascending. To specify descending order for a field, a suffix " desc" should be appended to the field name. For example: "name desc,source_properties.a_property". Redundant space characters in the syntax are insignificant. "name desc,source_properties.a_property" and " name desc , source_properties.a_property " are equivalent. The following fields are supported: name parent state category resource_name event_time source_properties security_marks.marks 384 pageSize: integer, The maximum number of results to return in a single response. Default is 10, minimum is 1, maximum is 1000. 385 pageToken: string, The value returned by the last `ListFindingsResponse`; indicates that this is a continuation of a prior `ListFindings` call, and that the system should return the next page of data. 386 readTime: string, Time used as a reference point when filtering findings. The filter is limited to findings existing at the supplied time and their values are those at that specific time. Absence of this field will default to the API's version of NOW. 387 x__xgafv: string, V1 error format. 388 Allowed values 389 1 - v1 error format 390 2 - v2 error format 391 392Returns: 393 An object of the form: 394 395 { # Response message for listing findings. 396 "listFindingsResults": [ # Findings matching the list request. 397 { # Result containing the Finding and its StateChange. 398 "finding": { # Security Command Center finding. A finding is a record of assessment data like security, risk, health, or privacy, that is ingested into Security Command Center for presentation, notification, analysis, policy testing, and enforcement. For example, a cross-site scripting (XSS) vulnerability in an App Engine application is a finding. # Finding matching the search request. 399 "access": { # Represents an access event. # Access details associated to the Finding, such as more information on the caller, which method was accessed, from where, etc. 400 "callerIp": "A String", # Caller's IP address, such as "1.1.1.1". 401 "callerIpGeo": { # Represents a geographical location for a given access. # The caller IP's geolocation, which identifies where the call came from. 402 "regionCode": "A String", # A CLDR. 403 }, 404 "methodName": "A String", # The method that the service account called, e.g. "SetIamPolicy". 405 "principalEmail": "A String", # Associated email, such as "foo@google.com". 406 "serviceName": "A String", # This is the API service that the service account made a call to, e.g. "iam.googleapis.com" 407 "userAgentFamily": "A String", # What kind of user agent is associated, e.g. operating system shells, embedded or stand-alone applications, etc. 408 }, 409 "canonicalName": "A String", # The canonical name of the finding. It's either "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}", "folders/{folder_id}/sources/{source_id}/findings/{finding_id}" or "projects/{project_number}/sources/{source_id}/findings/{finding_id}", depending on the closest CRM ancestor of the resource associated with the finding. 410 "category": "A String", # The additional taxonomy group within findings from a given source. This field is immutable after creation time. Example: "XSS_FLASH_INJECTION" 411 "createTime": "A String", # The time at which the finding was created in Security Command Center. 412 "eventTime": "A String", # The time at which the event took place, or when an update to the finding occurred. For example, if the finding represents an open firewall it would capture the time the detector believes the firewall became open. The accuracy is determined by the detector. If the finding were to be resolved afterward, this time would reflect when the finding was resolved. Must not be set to a value greater than the current timestamp. 413 "externalSystems": { # Output only. Third party SIEM/SOAR fields within SCC, contains external system information and external system finding fields. 414 "a_key": { # Representation of third party SIEM/SOAR fields within SCC. 415 "assignees": [ # References primary/secondary etc assignees in the external system. 416 "A String", 417 ], 418 "externalSystemUpdateTime": "A String", # The most recent time when the corresponding finding's ticket/tracker was updated in the external system. 419 "externalUid": "A String", # Identifier that's used to track the given finding in the external system. 420 "name": "A String", # External System Name e.g. jira, demisto, etc. e.g.: organizations/1234/sources/5678/findings/123456/externalSystems/jira folders/1234/sources/5678/findings/123456/externalSystems/jira projects/1234/sources/5678/findings/123456/externalSystems/jira 421 "status": "A String", # Most recent status of the corresponding finding's ticket/tracker in the external system. 422 }, 423 }, 424 "externalUri": "A String", # The URI that, if available, points to a web page outside of Security Command Center where additional information about the finding can be found. This field is guaranteed to be either empty or a well formed URL. 425 "findingClass": "A String", # The class of the finding. 426 "indicator": { # Represents what's commonly known as an Indicator of compromise (IoC) in computer forensics. This is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Reference: https://en.wikipedia.org/wiki/Indicator_of_compromise # Represents what's commonly known as an Indicator of compromise (IoC) in computer forensics. This is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Reference: https://en.wikipedia.org/wiki/Indicator_of_compromise 427 "domains": [ # List of domains associated to the Finding. 428 "A String", 429 ], 430 "ipAddresses": [ # List of ip addresses associated to the Finding. 431 "A String", 432 ], 433 }, 434 "mitreAttack": { # MITRE ATT&CK tactics and techniques related to this finding. See: https://attack.mitre.org # MITRE ATT&CK tactics and techniques related to this finding. See: https://attack.mitre.org 435 "additionalTactics": [ # Additional MITRE ATT&CK tactics related to this finding, if any. 436 "A String", 437 ], 438 "additionalTechniques": [ # Additional MITRE ATT&CK techniques related to this finding, if any, along with any of their respective parent techniques. 439 "A String", 440 ], 441 "primaryTactic": "A String", # The MITRE ATT&CK tactic most closely represented by this finding, if any. 442 "primaryTechniques": [ # The MITRE ATT&CK technique most closely represented by this finding, if any. primary_techniques is a repeated field because there are multiple levels of MITRE ATT&CK techniques. If the technique most closely represented by this finding is a sub-technique (e.g. SCANNING_IP_BLOCKS), both the sub-technique and its parent technique(s) will be listed (e.g. SCANNING_IP_BLOCKS, ACTIVE_SCANNING). 443 "A String", 444 ], 445 "version": "A String", # The MITRE ATT&CK version referenced by the above fields. E.g. "8". 446 }, 447 "mute": "A String", # Indicates the mute state of a finding (either unspecified, muted, unmuted or undefined). 448 "muteInitiator": "A String", # First known as mute_annotation. Records additional information about the mute operation e.g. mute config that muted the finding, user who muted the finding, etc. 449 "muteUpdateTime": "A String", # Output only. The most recent time this finding was muted or unmuted. 450 "name": "A String", # The relative resource name of this finding. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name Example: "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}" 451 "parent": "A String", # The relative resource name of the source the finding belongs to. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name This field is immutable after creation time. For example: "organizations/{organization_id}/sources/{source_id}" 452 "resourceName": "A String", # For findings on Google Cloud resources, the full resource name of the Google Cloud resource this finding is for. See: https://cloud.google.com/apis/design/resource_names#full_resource_name When the finding is for a non-Google Cloud resource, the resourceName can be a customer or partner defined string. This field is immutable after creation time. 453 "securityMarks": { # User specified security marks that are attached to the parent Security Command Center resource. Security marks are scoped within a Security Command Center organization -- they can be modified and viewed by all users who have proper permissions on the organization. # Output only. User specified security marks. These marks are entirely managed by the user and come from the SecurityMarks resource that belongs to the finding. 454 "canonicalName": "A String", # The canonical name of the marks. Examples: "organizations/{organization_id}/assets/{asset_id}/securityMarks" "folders/{folder_id}/assets/{asset_id}/securityMarks" "projects/{project_number}/assets/{asset_id}/securityMarks" "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}/securityMarks" "folders/{folder_id}/sources/{source_id}/findings/{finding_id}/securityMarks" "projects/{project_number}/sources/{source_id}/findings/{finding_id}/securityMarks" 455 "marks": { # Mutable user specified security marks belonging to the parent resource. Constraints are as follows: * Keys and values are treated as case insensitive * Keys must be between 1 - 256 characters (inclusive) * Keys must be letters, numbers, underscores, or dashes * Values have leading and trailing whitespace trimmed, remaining characters must be between 1 - 4096 characters (inclusive) 456 "a_key": "A String", 457 }, 458 "name": "A String", # The relative resource name of the SecurityMarks. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name Examples: "organizations/{organization_id}/assets/{asset_id}/securityMarks" "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}/securityMarks". 459 }, 460 "severity": "A String", # The severity of the finding. This field is managed by the source that writes the finding. 461 "sourceProperties": { # Source specific properties. These properties are managed by the source that writes the finding. The key names in the source_properties map must be between 1 and 255 characters, and must start with a letter and contain alphanumeric characters or underscores only. 462 "a_key": "", 463 }, 464 "state": "A String", # The state of the finding. 465 "vulnerability": { # Refers to common vulnerability fields e.g. cve, cvss, cwe etc. # Represents vulnerability specific fields like cve, cvss scores etc. CVE stands for Common Vulnerabilities and Exposures (https://cve.mitre.org/about/) 466 "cve": { # CVE stands for Common Vulnerabilities and Exposures. More information: https://cve.mitre.org # CVE stands for Common Vulnerabilities and Exposures (https://cve.mitre.org/about/) 467 "cvssv3": { # Common Vulnerability Scoring System version 3. # Describe Common Vulnerability Scoring System specified at https://www.first.org/cvss/v3.1/specification-document 468 "attackComplexity": "A String", # This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. 469 "attackVector": "A String", # Base Metrics Represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments. This metric reflects the context by which vulnerability exploitation is possible. 470 "availabilityImpact": "A String", # This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. 471 "baseScore": 3.14, # The base score is a function of the base metric scores. 472 "confidentialityImpact": "A String", # This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. 473 "integrityImpact": "A String", # This metric measures the impact to integrity of a successfully exploited vulnerability. 474 "privilegesRequired": "A String", # This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. 475 "scope": "A String", # The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope. 476 "userInteraction": "A String", # This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component. 477 }, 478 "id": "A String", # The unique identifier for the vulnerability. e.g. CVE-2021-34527 479 "references": [ # Additional information about the CVE. e.g. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527 480 { # Additional Links 481 "source": "A String", # Source of the reference e.g. NVD 482 "uri": "A String", # Uri for the mentioned source e.g. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527. 483 }, 484 ], 485 }, 486 }, 487 }, 488 "resource": { # Information related to the Google Cloud resource that is associated with this finding. # Output only. Resource that is associated with this finding. 489 "displayName": "A String", # The human readable name of the resource. 490 "folders": [ # Contains a Folder message for each folder in the assets ancestry. The first folder is the deepest nested folder, and the last folder is the folder directly under the Organization. 491 { # Message that contains the resource name and display name of a folder resource. 492 "resourceFolder": "A String", # Full resource name of this folder. See: https://cloud.google.com/apis/design/resource_names#full_resource_name 493 "resourceFolderDisplayName": "A String", # The user defined display name for this folder. 494 }, 495 ], 496 "name": "A String", # The full resource name of the resource. See: https://cloud.google.com/apis/design/resource_names#full_resource_name 497 "parentDisplayName": "A String", # The human readable name of resource's parent. 498 "parentName": "A String", # The full resource name of resource's parent. 499 "projectDisplayName": "A String", # The human readable name of project that the resource belongs to. 500 "projectName": "A String", # The full resource name of project that the resource belongs to. 501 "type": "A String", # The full resource type of the resource. 502 }, 503 "stateChange": "A String", # State change of the finding between the points in time. 504 }, 505 ], 506 "nextPageToken": "A String", # Token to retrieve the next page of results, or empty if there are no more results. 507 "readTime": "A String", # Time used for executing the list request. 508 "totalSize": 42, # The total number of findings matching the query. 509}</pre> 510</div> 511 512<div class="method"> 513 <code class="details" id="list_next">list_next(previous_request, previous_response)</code> 514 <pre>Retrieves the next page of results. 515 516Args: 517 previous_request: The request for the previous page. (required) 518 previous_response: The response from the request for the previous page. (required) 519 520Returns: 521 A request object that you can call 'execute()' on to request the next 522 page. Returns None if there are no more items in the collection. 523 </pre> 524</div> 525 526<div class="method"> 527 <code class="details" id="patch">patch(name, body=None, updateMask=None, x__xgafv=None)</code> 528 <pre>Creates or updates a finding. The corresponding source must exist for a finding creation to succeed. 529 530Args: 531 name: string, The relative resource name of this finding. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name Example: "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}" (required) 532 body: object, The request body. 533 The object takes the form of: 534 535{ # Security Command Center finding. A finding is a record of assessment data like security, risk, health, or privacy, that is ingested into Security Command Center for presentation, notification, analysis, policy testing, and enforcement. For example, a cross-site scripting (XSS) vulnerability in an App Engine application is a finding. 536 "access": { # Represents an access event. # Access details associated to the Finding, such as more information on the caller, which method was accessed, from where, etc. 537 "callerIp": "A String", # Caller's IP address, such as "1.1.1.1". 538 "callerIpGeo": { # Represents a geographical location for a given access. # The caller IP's geolocation, which identifies where the call came from. 539 "regionCode": "A String", # A CLDR. 540 }, 541 "methodName": "A String", # The method that the service account called, e.g. "SetIamPolicy". 542 "principalEmail": "A String", # Associated email, such as "foo@google.com". 543 "serviceName": "A String", # This is the API service that the service account made a call to, e.g. "iam.googleapis.com" 544 "userAgentFamily": "A String", # What kind of user agent is associated, e.g. operating system shells, embedded or stand-alone applications, etc. 545 }, 546 "canonicalName": "A String", # The canonical name of the finding. It's either "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}", "folders/{folder_id}/sources/{source_id}/findings/{finding_id}" or "projects/{project_number}/sources/{source_id}/findings/{finding_id}", depending on the closest CRM ancestor of the resource associated with the finding. 547 "category": "A String", # The additional taxonomy group within findings from a given source. This field is immutable after creation time. Example: "XSS_FLASH_INJECTION" 548 "createTime": "A String", # The time at which the finding was created in Security Command Center. 549 "eventTime": "A String", # The time at which the event took place, or when an update to the finding occurred. For example, if the finding represents an open firewall it would capture the time the detector believes the firewall became open. The accuracy is determined by the detector. If the finding were to be resolved afterward, this time would reflect when the finding was resolved. Must not be set to a value greater than the current timestamp. 550 "externalSystems": { # Output only. Third party SIEM/SOAR fields within SCC, contains external system information and external system finding fields. 551 "a_key": { # Representation of third party SIEM/SOAR fields within SCC. 552 "assignees": [ # References primary/secondary etc assignees in the external system. 553 "A String", 554 ], 555 "externalSystemUpdateTime": "A String", # The most recent time when the corresponding finding's ticket/tracker was updated in the external system. 556 "externalUid": "A String", # Identifier that's used to track the given finding in the external system. 557 "name": "A String", # External System Name e.g. jira, demisto, etc. e.g.: organizations/1234/sources/5678/findings/123456/externalSystems/jira folders/1234/sources/5678/findings/123456/externalSystems/jira projects/1234/sources/5678/findings/123456/externalSystems/jira 558 "status": "A String", # Most recent status of the corresponding finding's ticket/tracker in the external system. 559 }, 560 }, 561 "externalUri": "A String", # The URI that, if available, points to a web page outside of Security Command Center where additional information about the finding can be found. This field is guaranteed to be either empty or a well formed URL. 562 "findingClass": "A String", # The class of the finding. 563 "indicator": { # Represents what's commonly known as an Indicator of compromise (IoC) in computer forensics. This is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Reference: https://en.wikipedia.org/wiki/Indicator_of_compromise # Represents what's commonly known as an Indicator of compromise (IoC) in computer forensics. This is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Reference: https://en.wikipedia.org/wiki/Indicator_of_compromise 564 "domains": [ # List of domains associated to the Finding. 565 "A String", 566 ], 567 "ipAddresses": [ # List of ip addresses associated to the Finding. 568 "A String", 569 ], 570 }, 571 "mitreAttack": { # MITRE ATT&CK tactics and techniques related to this finding. See: https://attack.mitre.org # MITRE ATT&CK tactics and techniques related to this finding. See: https://attack.mitre.org 572 "additionalTactics": [ # Additional MITRE ATT&CK tactics related to this finding, if any. 573 "A String", 574 ], 575 "additionalTechniques": [ # Additional MITRE ATT&CK techniques related to this finding, if any, along with any of their respective parent techniques. 576 "A String", 577 ], 578 "primaryTactic": "A String", # The MITRE ATT&CK tactic most closely represented by this finding, if any. 579 "primaryTechniques": [ # The MITRE ATT&CK technique most closely represented by this finding, if any. primary_techniques is a repeated field because there are multiple levels of MITRE ATT&CK techniques. If the technique most closely represented by this finding is a sub-technique (e.g. SCANNING_IP_BLOCKS), both the sub-technique and its parent technique(s) will be listed (e.g. SCANNING_IP_BLOCKS, ACTIVE_SCANNING). 580 "A String", 581 ], 582 "version": "A String", # The MITRE ATT&CK version referenced by the above fields. E.g. "8". 583 }, 584 "mute": "A String", # Indicates the mute state of a finding (either unspecified, muted, unmuted or undefined). 585 "muteInitiator": "A String", # First known as mute_annotation. Records additional information about the mute operation e.g. mute config that muted the finding, user who muted the finding, etc. 586 "muteUpdateTime": "A String", # Output only. The most recent time this finding was muted or unmuted. 587 "name": "A String", # The relative resource name of this finding. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name Example: "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}" 588 "parent": "A String", # The relative resource name of the source the finding belongs to. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name This field is immutable after creation time. For example: "organizations/{organization_id}/sources/{source_id}" 589 "resourceName": "A String", # For findings on Google Cloud resources, the full resource name of the Google Cloud resource this finding is for. See: https://cloud.google.com/apis/design/resource_names#full_resource_name When the finding is for a non-Google Cloud resource, the resourceName can be a customer or partner defined string. This field is immutable after creation time. 590 "securityMarks": { # User specified security marks that are attached to the parent Security Command Center resource. Security marks are scoped within a Security Command Center organization -- they can be modified and viewed by all users who have proper permissions on the organization. # Output only. User specified security marks. These marks are entirely managed by the user and come from the SecurityMarks resource that belongs to the finding. 591 "canonicalName": "A String", # The canonical name of the marks. Examples: "organizations/{organization_id}/assets/{asset_id}/securityMarks" "folders/{folder_id}/assets/{asset_id}/securityMarks" "projects/{project_number}/assets/{asset_id}/securityMarks" "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}/securityMarks" "folders/{folder_id}/sources/{source_id}/findings/{finding_id}/securityMarks" "projects/{project_number}/sources/{source_id}/findings/{finding_id}/securityMarks" 592 "marks": { # Mutable user specified security marks belonging to the parent resource. Constraints are as follows: * Keys and values are treated as case insensitive * Keys must be between 1 - 256 characters (inclusive) * Keys must be letters, numbers, underscores, or dashes * Values have leading and trailing whitespace trimmed, remaining characters must be between 1 - 4096 characters (inclusive) 593 "a_key": "A String", 594 }, 595 "name": "A String", # The relative resource name of the SecurityMarks. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name Examples: "organizations/{organization_id}/assets/{asset_id}/securityMarks" "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}/securityMarks". 596 }, 597 "severity": "A String", # The severity of the finding. This field is managed by the source that writes the finding. 598 "sourceProperties": { # Source specific properties. These properties are managed by the source that writes the finding. The key names in the source_properties map must be between 1 and 255 characters, and must start with a letter and contain alphanumeric characters or underscores only. 599 "a_key": "", 600 }, 601 "state": "A String", # The state of the finding. 602 "vulnerability": { # Refers to common vulnerability fields e.g. cve, cvss, cwe etc. # Represents vulnerability specific fields like cve, cvss scores etc. CVE stands for Common Vulnerabilities and Exposures (https://cve.mitre.org/about/) 603 "cve": { # CVE stands for Common Vulnerabilities and Exposures. More information: https://cve.mitre.org # CVE stands for Common Vulnerabilities and Exposures (https://cve.mitre.org/about/) 604 "cvssv3": { # Common Vulnerability Scoring System version 3. # Describe Common Vulnerability Scoring System specified at https://www.first.org/cvss/v3.1/specification-document 605 "attackComplexity": "A String", # This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. 606 "attackVector": "A String", # Base Metrics Represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments. This metric reflects the context by which vulnerability exploitation is possible. 607 "availabilityImpact": "A String", # This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. 608 "baseScore": 3.14, # The base score is a function of the base metric scores. 609 "confidentialityImpact": "A String", # This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. 610 "integrityImpact": "A String", # This metric measures the impact to integrity of a successfully exploited vulnerability. 611 "privilegesRequired": "A String", # This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. 612 "scope": "A String", # The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope. 613 "userInteraction": "A String", # This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component. 614 }, 615 "id": "A String", # The unique identifier for the vulnerability. e.g. CVE-2021-34527 616 "references": [ # Additional information about the CVE. e.g. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527 617 { # Additional Links 618 "source": "A String", # Source of the reference e.g. NVD 619 "uri": "A String", # Uri for the mentioned source e.g. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527. 620 }, 621 ], 622 }, 623 }, 624} 625 626 updateMask: string, The FieldMask to use when updating the finding resource. This field should not be specified when creating a finding. When updating a finding, an empty mask is treated as updating all mutable fields and replacing source_properties. Individual source_properties can be added/updated by using "source_properties." in the field mask. 627 x__xgafv: string, V1 error format. 628 Allowed values 629 1 - v1 error format 630 2 - v2 error format 631 632Returns: 633 An object of the form: 634 635 { # Security Command Center finding. A finding is a record of assessment data like security, risk, health, or privacy, that is ingested into Security Command Center for presentation, notification, analysis, policy testing, and enforcement. For example, a cross-site scripting (XSS) vulnerability in an App Engine application is a finding. 636 "access": { # Represents an access event. # Access details associated to the Finding, such as more information on the caller, which method was accessed, from where, etc. 637 "callerIp": "A String", # Caller's IP address, such as "1.1.1.1". 638 "callerIpGeo": { # Represents a geographical location for a given access. # The caller IP's geolocation, which identifies where the call came from. 639 "regionCode": "A String", # A CLDR. 640 }, 641 "methodName": "A String", # The method that the service account called, e.g. "SetIamPolicy". 642 "principalEmail": "A String", # Associated email, such as "foo@google.com". 643 "serviceName": "A String", # This is the API service that the service account made a call to, e.g. "iam.googleapis.com" 644 "userAgentFamily": "A String", # What kind of user agent is associated, e.g. operating system shells, embedded or stand-alone applications, etc. 645 }, 646 "canonicalName": "A String", # The canonical name of the finding. It's either "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}", "folders/{folder_id}/sources/{source_id}/findings/{finding_id}" or "projects/{project_number}/sources/{source_id}/findings/{finding_id}", depending on the closest CRM ancestor of the resource associated with the finding. 647 "category": "A String", # The additional taxonomy group within findings from a given source. This field is immutable after creation time. Example: "XSS_FLASH_INJECTION" 648 "createTime": "A String", # The time at which the finding was created in Security Command Center. 649 "eventTime": "A String", # The time at which the event took place, or when an update to the finding occurred. For example, if the finding represents an open firewall it would capture the time the detector believes the firewall became open. The accuracy is determined by the detector. If the finding were to be resolved afterward, this time would reflect when the finding was resolved. Must not be set to a value greater than the current timestamp. 650 "externalSystems": { # Output only. Third party SIEM/SOAR fields within SCC, contains external system information and external system finding fields. 651 "a_key": { # Representation of third party SIEM/SOAR fields within SCC. 652 "assignees": [ # References primary/secondary etc assignees in the external system. 653 "A String", 654 ], 655 "externalSystemUpdateTime": "A String", # The most recent time when the corresponding finding's ticket/tracker was updated in the external system. 656 "externalUid": "A String", # Identifier that's used to track the given finding in the external system. 657 "name": "A String", # External System Name e.g. jira, demisto, etc. e.g.: organizations/1234/sources/5678/findings/123456/externalSystems/jira folders/1234/sources/5678/findings/123456/externalSystems/jira projects/1234/sources/5678/findings/123456/externalSystems/jira 658 "status": "A String", # Most recent status of the corresponding finding's ticket/tracker in the external system. 659 }, 660 }, 661 "externalUri": "A String", # The URI that, if available, points to a web page outside of Security Command Center where additional information about the finding can be found. This field is guaranteed to be either empty or a well formed URL. 662 "findingClass": "A String", # The class of the finding. 663 "indicator": { # Represents what's commonly known as an Indicator of compromise (IoC) in computer forensics. This is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Reference: https://en.wikipedia.org/wiki/Indicator_of_compromise # Represents what's commonly known as an Indicator of compromise (IoC) in computer forensics. This is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Reference: https://en.wikipedia.org/wiki/Indicator_of_compromise 664 "domains": [ # List of domains associated to the Finding. 665 "A String", 666 ], 667 "ipAddresses": [ # List of ip addresses associated to the Finding. 668 "A String", 669 ], 670 }, 671 "mitreAttack": { # MITRE ATT&CK tactics and techniques related to this finding. See: https://attack.mitre.org # MITRE ATT&CK tactics and techniques related to this finding. See: https://attack.mitre.org 672 "additionalTactics": [ # Additional MITRE ATT&CK tactics related to this finding, if any. 673 "A String", 674 ], 675 "additionalTechniques": [ # Additional MITRE ATT&CK techniques related to this finding, if any, along with any of their respective parent techniques. 676 "A String", 677 ], 678 "primaryTactic": "A String", # The MITRE ATT&CK tactic most closely represented by this finding, if any. 679 "primaryTechniques": [ # The MITRE ATT&CK technique most closely represented by this finding, if any. primary_techniques is a repeated field because there are multiple levels of MITRE ATT&CK techniques. If the technique most closely represented by this finding is a sub-technique (e.g. SCANNING_IP_BLOCKS), both the sub-technique and its parent technique(s) will be listed (e.g. SCANNING_IP_BLOCKS, ACTIVE_SCANNING). 680 "A String", 681 ], 682 "version": "A String", # The MITRE ATT&CK version referenced by the above fields. E.g. "8". 683 }, 684 "mute": "A String", # Indicates the mute state of a finding (either unspecified, muted, unmuted or undefined). 685 "muteInitiator": "A String", # First known as mute_annotation. Records additional information about the mute operation e.g. mute config that muted the finding, user who muted the finding, etc. 686 "muteUpdateTime": "A String", # Output only. The most recent time this finding was muted or unmuted. 687 "name": "A String", # The relative resource name of this finding. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name Example: "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}" 688 "parent": "A String", # The relative resource name of the source the finding belongs to. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name This field is immutable after creation time. For example: "organizations/{organization_id}/sources/{source_id}" 689 "resourceName": "A String", # For findings on Google Cloud resources, the full resource name of the Google Cloud resource this finding is for. See: https://cloud.google.com/apis/design/resource_names#full_resource_name When the finding is for a non-Google Cloud resource, the resourceName can be a customer or partner defined string. This field is immutable after creation time. 690 "securityMarks": { # User specified security marks that are attached to the parent Security Command Center resource. Security marks are scoped within a Security Command Center organization -- they can be modified and viewed by all users who have proper permissions on the organization. # Output only. User specified security marks. These marks are entirely managed by the user and come from the SecurityMarks resource that belongs to the finding. 691 "canonicalName": "A String", # The canonical name of the marks. Examples: "organizations/{organization_id}/assets/{asset_id}/securityMarks" "folders/{folder_id}/assets/{asset_id}/securityMarks" "projects/{project_number}/assets/{asset_id}/securityMarks" "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}/securityMarks" "folders/{folder_id}/sources/{source_id}/findings/{finding_id}/securityMarks" "projects/{project_number}/sources/{source_id}/findings/{finding_id}/securityMarks" 692 "marks": { # Mutable user specified security marks belonging to the parent resource. Constraints are as follows: * Keys and values are treated as case insensitive * Keys must be between 1 - 256 characters (inclusive) * Keys must be letters, numbers, underscores, or dashes * Values have leading and trailing whitespace trimmed, remaining characters must be between 1 - 4096 characters (inclusive) 693 "a_key": "A String", 694 }, 695 "name": "A String", # The relative resource name of the SecurityMarks. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name Examples: "organizations/{organization_id}/assets/{asset_id}/securityMarks" "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}/securityMarks". 696 }, 697 "severity": "A String", # The severity of the finding. This field is managed by the source that writes the finding. 698 "sourceProperties": { # Source specific properties. These properties are managed by the source that writes the finding. The key names in the source_properties map must be between 1 and 255 characters, and must start with a letter and contain alphanumeric characters or underscores only. 699 "a_key": "", 700 }, 701 "state": "A String", # The state of the finding. 702 "vulnerability": { # Refers to common vulnerability fields e.g. cve, cvss, cwe etc. # Represents vulnerability specific fields like cve, cvss scores etc. CVE stands for Common Vulnerabilities and Exposures (https://cve.mitre.org/about/) 703 "cve": { # CVE stands for Common Vulnerabilities and Exposures. More information: https://cve.mitre.org # CVE stands for Common Vulnerabilities and Exposures (https://cve.mitre.org/about/) 704 "cvssv3": { # Common Vulnerability Scoring System version 3. # Describe Common Vulnerability Scoring System specified at https://www.first.org/cvss/v3.1/specification-document 705 "attackComplexity": "A String", # This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. 706 "attackVector": "A String", # Base Metrics Represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments. This metric reflects the context by which vulnerability exploitation is possible. 707 "availabilityImpact": "A String", # This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. 708 "baseScore": 3.14, # The base score is a function of the base metric scores. 709 "confidentialityImpact": "A String", # This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. 710 "integrityImpact": "A String", # This metric measures the impact to integrity of a successfully exploited vulnerability. 711 "privilegesRequired": "A String", # This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. 712 "scope": "A String", # The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope. 713 "userInteraction": "A String", # This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component. 714 }, 715 "id": "A String", # The unique identifier for the vulnerability. e.g. CVE-2021-34527 716 "references": [ # Additional information about the CVE. e.g. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527 717 { # Additional Links 718 "source": "A String", # Source of the reference e.g. NVD 719 "uri": "A String", # Uri for the mentioned source e.g. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527. 720 }, 721 ], 722 }, 723 }, 724}</pre> 725</div> 726 727<div class="method"> 728 <code class="details" id="setMute">setMute(name, body=None, x__xgafv=None)</code> 729 <pre>Updates the mute state of a finding. 730 731Args: 732 name: string, Required. The relative resource name of the finding. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name Example: "organizations/{organization_id}/sources/{source_id}/finding/{finding_id}", "folders/{folder_id}/sources/{source_id}/finding/{finding_id}", "projects/{project_id}/sources/{source_id}/finding/{finding_id}". (required) 733 body: object, The request body. 734 The object takes the form of: 735 736{ # Request message for updating a finding's mute status. 737 "mute": "A String", # Required. The desired state of the Mute. 738} 739 740 x__xgafv: string, V1 error format. 741 Allowed values 742 1 - v1 error format 743 2 - v2 error format 744 745Returns: 746 An object of the form: 747 748 { # Security Command Center finding. A finding is a record of assessment data like security, risk, health, or privacy, that is ingested into Security Command Center for presentation, notification, analysis, policy testing, and enforcement. For example, a cross-site scripting (XSS) vulnerability in an App Engine application is a finding. 749 "access": { # Represents an access event. # Access details associated to the Finding, such as more information on the caller, which method was accessed, from where, etc. 750 "callerIp": "A String", # Caller's IP address, such as "1.1.1.1". 751 "callerIpGeo": { # Represents a geographical location for a given access. # The caller IP's geolocation, which identifies where the call came from. 752 "regionCode": "A String", # A CLDR. 753 }, 754 "methodName": "A String", # The method that the service account called, e.g. "SetIamPolicy". 755 "principalEmail": "A String", # Associated email, such as "foo@google.com". 756 "serviceName": "A String", # This is the API service that the service account made a call to, e.g. "iam.googleapis.com" 757 "userAgentFamily": "A String", # What kind of user agent is associated, e.g. operating system shells, embedded or stand-alone applications, etc. 758 }, 759 "canonicalName": "A String", # The canonical name of the finding. It's either "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}", "folders/{folder_id}/sources/{source_id}/findings/{finding_id}" or "projects/{project_number}/sources/{source_id}/findings/{finding_id}", depending on the closest CRM ancestor of the resource associated with the finding. 760 "category": "A String", # The additional taxonomy group within findings from a given source. This field is immutable after creation time. Example: "XSS_FLASH_INJECTION" 761 "createTime": "A String", # The time at which the finding was created in Security Command Center. 762 "eventTime": "A String", # The time at which the event took place, or when an update to the finding occurred. For example, if the finding represents an open firewall it would capture the time the detector believes the firewall became open. The accuracy is determined by the detector. If the finding were to be resolved afterward, this time would reflect when the finding was resolved. Must not be set to a value greater than the current timestamp. 763 "externalSystems": { # Output only. Third party SIEM/SOAR fields within SCC, contains external system information and external system finding fields. 764 "a_key": { # Representation of third party SIEM/SOAR fields within SCC. 765 "assignees": [ # References primary/secondary etc assignees in the external system. 766 "A String", 767 ], 768 "externalSystemUpdateTime": "A String", # The most recent time when the corresponding finding's ticket/tracker was updated in the external system. 769 "externalUid": "A String", # Identifier that's used to track the given finding in the external system. 770 "name": "A String", # External System Name e.g. jira, demisto, etc. e.g.: organizations/1234/sources/5678/findings/123456/externalSystems/jira folders/1234/sources/5678/findings/123456/externalSystems/jira projects/1234/sources/5678/findings/123456/externalSystems/jira 771 "status": "A String", # Most recent status of the corresponding finding's ticket/tracker in the external system. 772 }, 773 }, 774 "externalUri": "A String", # The URI that, if available, points to a web page outside of Security Command Center where additional information about the finding can be found. This field is guaranteed to be either empty or a well formed URL. 775 "findingClass": "A String", # The class of the finding. 776 "indicator": { # Represents what's commonly known as an Indicator of compromise (IoC) in computer forensics. This is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Reference: https://en.wikipedia.org/wiki/Indicator_of_compromise # Represents what's commonly known as an Indicator of compromise (IoC) in computer forensics. This is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Reference: https://en.wikipedia.org/wiki/Indicator_of_compromise 777 "domains": [ # List of domains associated to the Finding. 778 "A String", 779 ], 780 "ipAddresses": [ # List of ip addresses associated to the Finding. 781 "A String", 782 ], 783 }, 784 "mitreAttack": { # MITRE ATT&CK tactics and techniques related to this finding. See: https://attack.mitre.org # MITRE ATT&CK tactics and techniques related to this finding. See: https://attack.mitre.org 785 "additionalTactics": [ # Additional MITRE ATT&CK tactics related to this finding, if any. 786 "A String", 787 ], 788 "additionalTechniques": [ # Additional MITRE ATT&CK techniques related to this finding, if any, along with any of their respective parent techniques. 789 "A String", 790 ], 791 "primaryTactic": "A String", # The MITRE ATT&CK tactic most closely represented by this finding, if any. 792 "primaryTechniques": [ # The MITRE ATT&CK technique most closely represented by this finding, if any. primary_techniques is a repeated field because there are multiple levels of MITRE ATT&CK techniques. If the technique most closely represented by this finding is a sub-technique (e.g. SCANNING_IP_BLOCKS), both the sub-technique and its parent technique(s) will be listed (e.g. SCANNING_IP_BLOCKS, ACTIVE_SCANNING). 793 "A String", 794 ], 795 "version": "A String", # The MITRE ATT&CK version referenced by the above fields. E.g. "8". 796 }, 797 "mute": "A String", # Indicates the mute state of a finding (either unspecified, muted, unmuted or undefined). 798 "muteInitiator": "A String", # First known as mute_annotation. Records additional information about the mute operation e.g. mute config that muted the finding, user who muted the finding, etc. 799 "muteUpdateTime": "A String", # Output only. The most recent time this finding was muted or unmuted. 800 "name": "A String", # The relative resource name of this finding. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name Example: "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}" 801 "parent": "A String", # The relative resource name of the source the finding belongs to. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name This field is immutable after creation time. For example: "organizations/{organization_id}/sources/{source_id}" 802 "resourceName": "A String", # For findings on Google Cloud resources, the full resource name of the Google Cloud resource this finding is for. See: https://cloud.google.com/apis/design/resource_names#full_resource_name When the finding is for a non-Google Cloud resource, the resourceName can be a customer or partner defined string. This field is immutable after creation time. 803 "securityMarks": { # User specified security marks that are attached to the parent Security Command Center resource. Security marks are scoped within a Security Command Center organization -- they can be modified and viewed by all users who have proper permissions on the organization. # Output only. User specified security marks. These marks are entirely managed by the user and come from the SecurityMarks resource that belongs to the finding. 804 "canonicalName": "A String", # The canonical name of the marks. Examples: "organizations/{organization_id}/assets/{asset_id}/securityMarks" "folders/{folder_id}/assets/{asset_id}/securityMarks" "projects/{project_number}/assets/{asset_id}/securityMarks" "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}/securityMarks" "folders/{folder_id}/sources/{source_id}/findings/{finding_id}/securityMarks" "projects/{project_number}/sources/{source_id}/findings/{finding_id}/securityMarks" 805 "marks": { # Mutable user specified security marks belonging to the parent resource. Constraints are as follows: * Keys and values are treated as case insensitive * Keys must be between 1 - 256 characters (inclusive) * Keys must be letters, numbers, underscores, or dashes * Values have leading and trailing whitespace trimmed, remaining characters must be between 1 - 4096 characters (inclusive) 806 "a_key": "A String", 807 }, 808 "name": "A String", # The relative resource name of the SecurityMarks. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name Examples: "organizations/{organization_id}/assets/{asset_id}/securityMarks" "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}/securityMarks". 809 }, 810 "severity": "A String", # The severity of the finding. This field is managed by the source that writes the finding. 811 "sourceProperties": { # Source specific properties. These properties are managed by the source that writes the finding. The key names in the source_properties map must be between 1 and 255 characters, and must start with a letter and contain alphanumeric characters or underscores only. 812 "a_key": "", 813 }, 814 "state": "A String", # The state of the finding. 815 "vulnerability": { # Refers to common vulnerability fields e.g. cve, cvss, cwe etc. # Represents vulnerability specific fields like cve, cvss scores etc. CVE stands for Common Vulnerabilities and Exposures (https://cve.mitre.org/about/) 816 "cve": { # CVE stands for Common Vulnerabilities and Exposures. More information: https://cve.mitre.org # CVE stands for Common Vulnerabilities and Exposures (https://cve.mitre.org/about/) 817 "cvssv3": { # Common Vulnerability Scoring System version 3. # Describe Common Vulnerability Scoring System specified at https://www.first.org/cvss/v3.1/specification-document 818 "attackComplexity": "A String", # This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. 819 "attackVector": "A String", # Base Metrics Represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments. This metric reflects the context by which vulnerability exploitation is possible. 820 "availabilityImpact": "A String", # This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. 821 "baseScore": 3.14, # The base score is a function of the base metric scores. 822 "confidentialityImpact": "A String", # This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. 823 "integrityImpact": "A String", # This metric measures the impact to integrity of a successfully exploited vulnerability. 824 "privilegesRequired": "A String", # This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. 825 "scope": "A String", # The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope. 826 "userInteraction": "A String", # This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component. 827 }, 828 "id": "A String", # The unique identifier for the vulnerability. e.g. CVE-2021-34527 829 "references": [ # Additional information about the CVE. e.g. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527 830 { # Additional Links 831 "source": "A String", # Source of the reference e.g. NVD 832 "uri": "A String", # Uri for the mentioned source e.g. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527. 833 }, 834 ], 835 }, 836 }, 837}</pre> 838</div> 839 840<div class="method"> 841 <code class="details" id="setState">setState(name, body=None, x__xgafv=None)</code> 842 <pre>Updates the state of a finding. 843 844Args: 845 name: string, Required. The relative resource name of the finding. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name Example: "organizations/{organization_id}/sources/{source_id}/finding/{finding_id}". (required) 846 body: object, The request body. 847 The object takes the form of: 848 849{ # Request message for updating a finding's state. 850 "startTime": "A String", # Required. The time at which the updated state takes effect. 851 "state": "A String", # Required. The desired State of the finding. 852} 853 854 x__xgafv: string, V1 error format. 855 Allowed values 856 1 - v1 error format 857 2 - v2 error format 858 859Returns: 860 An object of the form: 861 862 { # Security Command Center finding. A finding is a record of assessment data like security, risk, health, or privacy, that is ingested into Security Command Center for presentation, notification, analysis, policy testing, and enforcement. For example, a cross-site scripting (XSS) vulnerability in an App Engine application is a finding. 863 "access": { # Represents an access event. # Access details associated to the Finding, such as more information on the caller, which method was accessed, from where, etc. 864 "callerIp": "A String", # Caller's IP address, such as "1.1.1.1". 865 "callerIpGeo": { # Represents a geographical location for a given access. # The caller IP's geolocation, which identifies where the call came from. 866 "regionCode": "A String", # A CLDR. 867 }, 868 "methodName": "A String", # The method that the service account called, e.g. "SetIamPolicy". 869 "principalEmail": "A String", # Associated email, such as "foo@google.com". 870 "serviceName": "A String", # This is the API service that the service account made a call to, e.g. "iam.googleapis.com" 871 "userAgentFamily": "A String", # What kind of user agent is associated, e.g. operating system shells, embedded or stand-alone applications, etc. 872 }, 873 "canonicalName": "A String", # The canonical name of the finding. It's either "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}", "folders/{folder_id}/sources/{source_id}/findings/{finding_id}" or "projects/{project_number}/sources/{source_id}/findings/{finding_id}", depending on the closest CRM ancestor of the resource associated with the finding. 874 "category": "A String", # The additional taxonomy group within findings from a given source. This field is immutable after creation time. Example: "XSS_FLASH_INJECTION" 875 "createTime": "A String", # The time at which the finding was created in Security Command Center. 876 "eventTime": "A String", # The time at which the event took place, or when an update to the finding occurred. For example, if the finding represents an open firewall it would capture the time the detector believes the firewall became open. The accuracy is determined by the detector. If the finding were to be resolved afterward, this time would reflect when the finding was resolved. Must not be set to a value greater than the current timestamp. 877 "externalSystems": { # Output only. Third party SIEM/SOAR fields within SCC, contains external system information and external system finding fields. 878 "a_key": { # Representation of third party SIEM/SOAR fields within SCC. 879 "assignees": [ # References primary/secondary etc assignees in the external system. 880 "A String", 881 ], 882 "externalSystemUpdateTime": "A String", # The most recent time when the corresponding finding's ticket/tracker was updated in the external system. 883 "externalUid": "A String", # Identifier that's used to track the given finding in the external system. 884 "name": "A String", # External System Name e.g. jira, demisto, etc. e.g.: organizations/1234/sources/5678/findings/123456/externalSystems/jira folders/1234/sources/5678/findings/123456/externalSystems/jira projects/1234/sources/5678/findings/123456/externalSystems/jira 885 "status": "A String", # Most recent status of the corresponding finding's ticket/tracker in the external system. 886 }, 887 }, 888 "externalUri": "A String", # The URI that, if available, points to a web page outside of Security Command Center where additional information about the finding can be found. This field is guaranteed to be either empty or a well formed URL. 889 "findingClass": "A String", # The class of the finding. 890 "indicator": { # Represents what's commonly known as an Indicator of compromise (IoC) in computer forensics. This is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Reference: https://en.wikipedia.org/wiki/Indicator_of_compromise # Represents what's commonly known as an Indicator of compromise (IoC) in computer forensics. This is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Reference: https://en.wikipedia.org/wiki/Indicator_of_compromise 891 "domains": [ # List of domains associated to the Finding. 892 "A String", 893 ], 894 "ipAddresses": [ # List of ip addresses associated to the Finding. 895 "A String", 896 ], 897 }, 898 "mitreAttack": { # MITRE ATT&CK tactics and techniques related to this finding. See: https://attack.mitre.org # MITRE ATT&CK tactics and techniques related to this finding. See: https://attack.mitre.org 899 "additionalTactics": [ # Additional MITRE ATT&CK tactics related to this finding, if any. 900 "A String", 901 ], 902 "additionalTechniques": [ # Additional MITRE ATT&CK techniques related to this finding, if any, along with any of their respective parent techniques. 903 "A String", 904 ], 905 "primaryTactic": "A String", # The MITRE ATT&CK tactic most closely represented by this finding, if any. 906 "primaryTechniques": [ # The MITRE ATT&CK technique most closely represented by this finding, if any. primary_techniques is a repeated field because there are multiple levels of MITRE ATT&CK techniques. If the technique most closely represented by this finding is a sub-technique (e.g. SCANNING_IP_BLOCKS), both the sub-technique and its parent technique(s) will be listed (e.g. SCANNING_IP_BLOCKS, ACTIVE_SCANNING). 907 "A String", 908 ], 909 "version": "A String", # The MITRE ATT&CK version referenced by the above fields. E.g. "8". 910 }, 911 "mute": "A String", # Indicates the mute state of a finding (either unspecified, muted, unmuted or undefined). 912 "muteInitiator": "A String", # First known as mute_annotation. Records additional information about the mute operation e.g. mute config that muted the finding, user who muted the finding, etc. 913 "muteUpdateTime": "A String", # Output only. The most recent time this finding was muted or unmuted. 914 "name": "A String", # The relative resource name of this finding. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name Example: "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}" 915 "parent": "A String", # The relative resource name of the source the finding belongs to. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name This field is immutable after creation time. For example: "organizations/{organization_id}/sources/{source_id}" 916 "resourceName": "A String", # For findings on Google Cloud resources, the full resource name of the Google Cloud resource this finding is for. See: https://cloud.google.com/apis/design/resource_names#full_resource_name When the finding is for a non-Google Cloud resource, the resourceName can be a customer or partner defined string. This field is immutable after creation time. 917 "securityMarks": { # User specified security marks that are attached to the parent Security Command Center resource. Security marks are scoped within a Security Command Center organization -- they can be modified and viewed by all users who have proper permissions on the organization. # Output only. User specified security marks. These marks are entirely managed by the user and come from the SecurityMarks resource that belongs to the finding. 918 "canonicalName": "A String", # The canonical name of the marks. Examples: "organizations/{organization_id}/assets/{asset_id}/securityMarks" "folders/{folder_id}/assets/{asset_id}/securityMarks" "projects/{project_number}/assets/{asset_id}/securityMarks" "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}/securityMarks" "folders/{folder_id}/sources/{source_id}/findings/{finding_id}/securityMarks" "projects/{project_number}/sources/{source_id}/findings/{finding_id}/securityMarks" 919 "marks": { # Mutable user specified security marks belonging to the parent resource. Constraints are as follows: * Keys and values are treated as case insensitive * Keys must be between 1 - 256 characters (inclusive) * Keys must be letters, numbers, underscores, or dashes * Values have leading and trailing whitespace trimmed, remaining characters must be between 1 - 4096 characters (inclusive) 920 "a_key": "A String", 921 }, 922 "name": "A String", # The relative resource name of the SecurityMarks. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name Examples: "organizations/{organization_id}/assets/{asset_id}/securityMarks" "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}/securityMarks". 923 }, 924 "severity": "A String", # The severity of the finding. This field is managed by the source that writes the finding. 925 "sourceProperties": { # Source specific properties. These properties are managed by the source that writes the finding. The key names in the source_properties map must be between 1 and 255 characters, and must start with a letter and contain alphanumeric characters or underscores only. 926 "a_key": "", 927 }, 928 "state": "A String", # The state of the finding. 929 "vulnerability": { # Refers to common vulnerability fields e.g. cve, cvss, cwe etc. # Represents vulnerability specific fields like cve, cvss scores etc. CVE stands for Common Vulnerabilities and Exposures (https://cve.mitre.org/about/) 930 "cve": { # CVE stands for Common Vulnerabilities and Exposures. More information: https://cve.mitre.org # CVE stands for Common Vulnerabilities and Exposures (https://cve.mitre.org/about/) 931 "cvssv3": { # Common Vulnerability Scoring System version 3. # Describe Common Vulnerability Scoring System specified at https://www.first.org/cvss/v3.1/specification-document 932 "attackComplexity": "A String", # This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. 933 "attackVector": "A String", # Base Metrics Represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments. This metric reflects the context by which vulnerability exploitation is possible. 934 "availabilityImpact": "A String", # This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. 935 "baseScore": 3.14, # The base score is a function of the base metric scores. 936 "confidentialityImpact": "A String", # This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. 937 "integrityImpact": "A String", # This metric measures the impact to integrity of a successfully exploited vulnerability. 938 "privilegesRequired": "A String", # This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. 939 "scope": "A String", # The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope. 940 "userInteraction": "A String", # This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component. 941 }, 942 "id": "A String", # The unique identifier for the vulnerability. e.g. CVE-2021-34527 943 "references": [ # Additional information about the CVE. e.g. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527 944 { # Additional Links 945 "source": "A String", # Source of the reference e.g. NVD 946 "uri": "A String", # Uri for the mentioned source e.g. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527. 947 }, 948 ], 949 }, 950 }, 951}</pre> 952</div> 953 954<div class="method"> 955 <code class="details" id="updateSecurityMarks">updateSecurityMarks(name, body=None, startTime=None, updateMask=None, x__xgafv=None)</code> 956 <pre>Updates security marks. 957 958Args: 959 name: string, The relative resource name of the SecurityMarks. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name Examples: "organizations/{organization_id}/assets/{asset_id}/securityMarks" "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}/securityMarks". (required) 960 body: object, The request body. 961 The object takes the form of: 962 963{ # User specified security marks that are attached to the parent Security Command Center resource. Security marks are scoped within a Security Command Center organization -- they can be modified and viewed by all users who have proper permissions on the organization. 964 "canonicalName": "A String", # The canonical name of the marks. Examples: "organizations/{organization_id}/assets/{asset_id}/securityMarks" "folders/{folder_id}/assets/{asset_id}/securityMarks" "projects/{project_number}/assets/{asset_id}/securityMarks" "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}/securityMarks" "folders/{folder_id}/sources/{source_id}/findings/{finding_id}/securityMarks" "projects/{project_number}/sources/{source_id}/findings/{finding_id}/securityMarks" 965 "marks": { # Mutable user specified security marks belonging to the parent resource. Constraints are as follows: * Keys and values are treated as case insensitive * Keys must be between 1 - 256 characters (inclusive) * Keys must be letters, numbers, underscores, or dashes * Values have leading and trailing whitespace trimmed, remaining characters must be between 1 - 4096 characters (inclusive) 966 "a_key": "A String", 967 }, 968 "name": "A String", # The relative resource name of the SecurityMarks. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name Examples: "organizations/{organization_id}/assets/{asset_id}/securityMarks" "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}/securityMarks". 969} 970 971 startTime: string, The time at which the updated SecurityMarks take effect. If not set uses current server time. Updates will be applied to the SecurityMarks that are active immediately preceding this time. 972 updateMask: string, The FieldMask to use when updating the security marks resource. The field mask must not contain duplicate fields. If empty or set to "marks", all marks will be replaced. Individual marks can be updated using "marks.". 973 x__xgafv: string, V1 error format. 974 Allowed values 975 1 - v1 error format 976 2 - v2 error format 977 978Returns: 979 An object of the form: 980 981 { # User specified security marks that are attached to the parent Security Command Center resource. Security marks are scoped within a Security Command Center organization -- they can be modified and viewed by all users who have proper permissions on the organization. 982 "canonicalName": "A String", # The canonical name of the marks. Examples: "organizations/{organization_id}/assets/{asset_id}/securityMarks" "folders/{folder_id}/assets/{asset_id}/securityMarks" "projects/{project_number}/assets/{asset_id}/securityMarks" "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}/securityMarks" "folders/{folder_id}/sources/{source_id}/findings/{finding_id}/securityMarks" "projects/{project_number}/sources/{source_id}/findings/{finding_id}/securityMarks" 983 "marks": { # Mutable user specified security marks belonging to the parent resource. Constraints are as follows: * Keys and values are treated as case insensitive * Keys must be between 1 - 256 characters (inclusive) * Keys must be letters, numbers, underscores, or dashes * Values have leading and trailing whitespace trimmed, remaining characters must be between 1 - 4096 characters (inclusive) 984 "a_key": "A String", 985 }, 986 "name": "A String", # The relative resource name of the SecurityMarks. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name Examples: "organizations/{organization_id}/assets/{asset_id}/securityMarks" "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}/securityMarks". 987}</pre> 988</div> 989 990</body></html>