Summary: Findings Workflow Improvements

Security Command Center is refreshing the Findings page, which lets you view, search for, and inspect findings in the Google Cloud console. This page lists the improvements in the Findings page.

Security Command Center roles are granted at the organization, folder, or project level. Your ability to view, edit, create, or update findings, assets, and security sources depends on the level for which you are granted access. To learn more about Security Command Center roles, see Access control.

The Findings page has the following improvements.

Global changes

The following improvements apply to quick filters, the query builder, the findings table, and finding details:

  • For accessibility reasons, property names (or filter names) and values are displayed in sentence case.
  • Readable attribute or filter names are displayed instead of their API equivalents. For example, the filter name IP addresses is used in place of indicator.ip_addresses.
  • Security marks were removed. You can still update and access security marks through the Security Command Center API.

Quick filters

The Quick filters section has the following improvements:

  • You can apply quick filters on the following finding attributes. Only a subset of these quick filters is available on the legacy Findings page.

    • Category
    • Finding class
    • Mute state
    • Project ID
    • Resource type
    • Severity
    • Source display name
    • State
  • You can select multiple values across multiple filter categories.

Learn how to apply filters in the Findings Workflow Improvements view later on this page.

Query builder

Query builder

The Query preview field, also known as the query builder, replaced the legacy Filter field. The query builder has the following improvements:

  • It provides a graphical user interface that lets you look up and select properly formatted filter names, operators, and filter values.
  • When you type your query in the query builder, it provides an autocomplete menu where you can select filter names and functions.
  • The query builder highlights any errors in your query as you write it, so you can make the necessary corrections before you apply the query.
  • The query builder lets you filter on new finding attributes, which are available across all Security Command Center services:

    The legacy Filter field doesn't support these new attributes.

Learn how to Create or edit a findings query through the query builder later on this page.

Finding details

In the findings table, when you click the category name of a finding, that finding's details are displayed. In the details pane, you can now do the following:

  • Update the current findings filter to include or exclude an attribute. Your changes are applied to the query builder and quick filters in the main Findings page.
  • Use the next or previous button to go to the next or previous finding, without having to go back to the Findings page.

  • View the finding attributes names, as used in the Security Command Center API.

    API equivalents of finding attribute names

In place of the Mute menu, the Take action menu was added. It lets you do the following:

  • Mute or Unmute: Mute or unmute the finding.
  • Mute findings like this: Open the Create mute rule page, where you can configure a rule that mutes all future findings similar to the current finding.
  • Copy link: Place a direct link to the finding in your clipboard, so that you can share it with others.

  • Send feedback: Send feedback about the finding to the Security Command Center team. The feedback tool lets you capture and include a screenshot.

Take action menu

The following sections describe the Summary and JSON tabs.

Summary tab

The format of the Summary tab was standardized across all services that run on Security Command Center. The tab was reorganized to highlight the following information:

What was detected
Details about the finding detected, such as its severity and state.
Affected resource
Details about the asset associated with the finding, including technical and security contacts. This section also contains a menu that lets you view the resource's details.
Next steps
Optional. Certain services, such as Security Health Analytics, provide guidance on what you can do to remediate the issue detected.
Related links
Optional. Certain services, such as Event Threat Detection, provide links to key sources of security information outside of Security Command Center.
Detection service
Details about the service that detected the finding, also known as the source.

JSON tab

The JSON tab was added. It contains the following objects:

  • findings: The finding's attributes. These attributes are standardized across all built-in and integrated services (also known as security sources). For more information, see Finding.
  • resource: The attributes of the affected resource. For more information, see Resource.
  • sourceProperties: The service-specific properties of the finding.

Upgrade to the Findings Workflow Improvements

  1. Go to the Findings Workflow Improvements view in Security Command Center.

    Go to Findings

  2. If necessary, select your Google Cloud project or organization.

    Project selector

  3. Click Upgrade, and then select Upgrade to Findings Workflow Improvements.

Switch back to the legacy Findings view

  1. Go to the Findings Workflow Improvements view in Security Command Center.

    Go to Findings

  2. If necessary, select your Google Cloud project or organization.

    Project selector

  3. To switch from the Findings Workflow Improvements view to the legacy view, click Options, and then select Go back to the legacy Findings page. Confirm your choice by clicking Go back with feedback or Go back.

Apply quick filters

  1. Go to the Findings Workflow Improvements view in Security Command Center.

    Go to Findings

  2. If necessary, select your Google Cloud project or organization.

    Project selector

    By default, the findings list is filtered to show only active findings that aren't muted. The Quick filters section and the query builder show the filters that are currently applied.

  3. In the Quick filters section, find the subsection for the attribute you want to filter on—for example, Category.

  4. Select the attribute values that the findings must have.

    By default, the attribute values that you can select are arranged by finding count, in descending order. If you want to sort the values alphabetically, click View more, and then click By name.

    As you select or clear values, the query in the Edit findings query field is updated.

  5. To reset the quick filters, click Clear all.

    Any quick filters and filters that were automatically added to the query builder are cleared.

Create or edit a findings query

To create an advanced query or refine an existing query, use the Edit findings query field, also known as the query builder. The query builder lets you include operators that aren't supported in the Quick filters section, like negation (-) and partial string matching (:). You can also use the contains function in the query builder to perform enhanced queries on complex array elements. For more information, see Filtering on array-type fields.

To form your query using the query builder, follow these steps:

  1. Go to the Findings Workflow Improvements view in Security Command Center.

    Go to Findings

  2. If necessary, select your Google Cloud project or organization.

    Project selector

    The Findings page loads. By default, the findings list is filtered to show only active findings that aren't muted. The Quick filters section and the query builder show the filters that are currently applied.

  3. If the query builder is collapsed, click Edit query to expand it.

  4. Click Add filter.

    The Select filter dialog lets you choose supported finding attributes and values. Query filter dialog

    1. Click the name of a finding attribute or type its name in the Search finding attributes box.
    2. Click a filter value in the list or type its name in the Search filter values box.
    3. For the selected filter value, in the drop-down menu, choose one of the following operators:
      • Equals: match findings with this exact filter value
      • Does not equal: match findings that don't have this exact filter value
      • Has: match findings with filter values that contain the text you enter in the Keyword field
      • Does not have: match findings with filter values that don't contain the text you enter in the Keyword field
      • Contains: match findings that have an array value that contains an exact match of the text you enter in the Keyword field
      • Does not contain: match findings that don't have an array value that contains the text you enter in the Keyword field
    4. Click Apply.

      The dialog closes and your query is updated.

    5. Repeat until the findings query contains all the attributes you want.

Alternatively, you can manually form a findings query the same way you form a findings filter using the Security Command Center API. As you type in your query, an autocomplete menu appears, where you can select filter names and functions.

Finding filters support common operators, including the following:

  • Strings:
    • Full equality =
    • Partial string matching :
  • Numbers:
    • Inequalities <, >, <=, >=
    • Equality =
  • Booleans:
    • Equality =
  • Logical operators:
    • AND
    • OR
    • Negation - or NOT
  • Parentheses for grouping expressions

When you're working in the query builder, the Quick filters section of the page is deactivated to avoid conflicts between the two.

Update the findings query from a finding's details pane

From the finding details pane, you can add a finding property value to your query. Conversely, you can exclude that value from the query. Your changes are applied to the query builder and quick filters in the main Findings page.

You can perform this task for any attribute value that appears as a drop-down menu.

Context menu for a property value

  1. Go to the Findings Workflow Improvements view in Security Command Center.

    Go to Findings

  2. If necessary, select your Google Cloud project or organization.

    Project selector

  3. Click the category name of the finding.

    The finding's details pane appears.

  4. Click the attribute value that you want to include or exclude.

  5. Do one of the following:

    • To update the query such that it only shows findings with this property value, select Append to the current finding query.
    • To update the query such that it excludes findings with this property value, select Hide from the current finding query.

The details pane closes, and the findings query is updated.

View or copy the JSON definition of a finding

The JSON definition lets you inspect all elements of a finding. It's useful when you're investigating a finding or looking up attributes that you can use in your finding queries.

  1. Go to the Findings Workflow Improvements view in Security Command Center.

    Go to Findings

  2. If necessary, select your Google Cloud project or organization.

    Project selector

  3. Click the category name of the finding.

    The finding's details pane appears.

  4. Click the JSON tab.

    The finding's JSON definition appears.

  5. To copy the JSON object, click Copy.

    The JSON object is copied to your clipboard.

Send feedback to the Security Command Center team

We are always looking for ways to improve our service. Your feedback will help us improve our products and create a better experience for all Security Command Center users.

To send feedback, follow these steps:

  1. Go to the Findings Workflow Improvements view in Security Command Center.

    Go to Findings

  2. If necessary, select your Google Cloud project or organization.

    Project selector

  3. Click Options, and select Send feedback.

What's next

Learn how to form a findings filter using the Security Command Center API.