Stay organized with collections
Save and categorize content based on your preferences.
A finding can have one of two states: Active or Inactive.
When a finding is first created, the built-in detection services set the
state property of the finding to Active. Generally, you can consider
Active to mean that the underlying security issue still exists; however,
as explained later in this section, that is not always the case.
The state of a finding can become Inactive if certain detection services
detect that the security issue was remediated or that the affected resource
was deleted. You can also manually change the state to Inactive. Generally, Inactive means that the underlying security issue no
longer exists; however, as explained later in this section, that is
not always the case.
At any point in time, the state of a finding might not reflect the
current state of the detected security issue. The following list shows some
of the reasons a mismatch might occur:
Some detection services do not update their findings automatically
after the detected issue is remediated.
The state of threat findings are never changed automatically.
For the detection services that do update their findings automatically,
there is usually a delay before the remediation is detected and the finding
is updated.
For some detection services, the state of a finding might be changed manually to a state that does
not match the state of the detected issue.
Only the following vulnerability and misconfiguration detection services
automatically change the state of a finding from Active to Inactive upon
detecting that the corresponding issue is remediated:
Security Health Analytics, including when a detector in Security Health Analytics is
disabled. See Automatic deactivation of
findings
for information about all the events that might cause Security Health Analytics to
automatically change the state of their finding. + VM Manager
Downgrading to the Standard tier also changes the state of Premium or Enterprise
findings to Inactive. Learn more about Service
tiers.
For information about manually changing the state of a finding in the
Google Cloud console, see
Changing the state of a finding.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["| Standard, Premium, and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nA finding can have one of two states: `Active` or `Inactive`.\n\nWhen a finding is first created, the built-in detection services set the\n`state` property of the finding to `Active`. Generally, you can consider\n`Active` to mean that the underlying security issue still exists; however,\nas explained later in this section, that is not always the case.\n\nThe state of a finding can become `Inactive` if certain detection services\ndetect that the security issue was remediated or that the affected resource\nwas deleted. You can also manually change the state to `Inactive`. Generally, `Inactive` means that the underlying security issue no\nlonger exists; however, as explained later in this section, that is\nnot always the case.\n\nAt any point in time, the `state` of a finding might not reflect the\ncurrent state of the detected security issue. The following list shows some\nof the reasons a mismatch might occur:\n\n- Some detection services do not update their findings automatically\n after the detected issue is remediated.\n\n The state of threat findings are never changed automatically.\n- For the detection services that do update their findings automatically,\n there is usually a delay before the remediation is detected and the finding\n is updated.\n\n- For some detection services, the state of a finding might be changed manually to a state that does\n not match the state of the detected issue.\n\nOnly the following vulnerability and misconfiguration detection services\nautomatically change the state of a finding from `Active` to `Inactive` upon\ndetecting that the corresponding issue is remediated:\n\n- Security Health Analytics, including when a detector in Security Health Analytics is disabled. See [Automatic deactivation of\n findings](/security-command-center/docs/how-to-remediate-security-health-analytics-findings#finding-deactivation) for information about all the events that might cause Security Health Analytics to automatically change the state of their finding. + VM Manager\n\nDowngrading to the Standard tier also changes the state of Premium or Enterprise\nfindings to `Inactive`. Learn more about [Service\ntiers](/security-command-center/docs/service-tiers).\n\nFor information about manually changing the state of a finding in the\nGoogle Cloud console, see\n[Changing the state of a finding](/security-command-center/docs/how-to-work-with-findings-in-the-dashboard#change_the_state_of_a_finding)."]]
