Security Command Center API を使用して知見を管理する

このガイドでは、Security Command Center API を使用した検出結果の作成、更新について説明します。

始める前に

知見を作成および更新する前に、次の手順を行う必要があります。

このガイドを完了するには、組織レベルで Identity and Access Management（IAM）のSecurity Center 検出結果編集者（securitycenter.findingsEditor）ロールが必要です。Security Command Center のロールの詳細については、アクセス制御をご覧ください。

セキュリティマークが付いた知見を作成するには、使用するマークの種類に対する権限を含む次の IAM ロールも必要です。

Asset セキュリティマークライター（securitycenter.assetSecurityMarksWriter）
セキュリティマークライターの検出（securitycenter.findingSecurityMarksWriter）

マークの詳細については、Security Command Center のセキュリティマークの使用をご覧ください。

知見の作成

ソースに対してアクティブな検出結果を作成します。

gcloud

  # ORGANIZATION=12344321
  # SOURCE=43211234
  # FINDING_ID=testfindingid
  # EVENT_TIME follows the format YYYY-MM-DDThh:mm:ss.ffffffZ
  EVENT_TIME=2019-02-28T07:00:06.861Z
  STATE=ACTIVE
  CATEGORY=MEDIUM_RISK_ONE
  RESOURCE_NAME=//cloudresourcemanager.googleapis.com/projects/PROJECT_ID

  gcloud scc findings create $FINDING_ID \
      --source $SOURCE \
      --organization $ORGANIZATION \
      --state $STATE \
      --category $CATEGORY \
      --event-time $EVENT_TIME
      --resource-name $RESOURCE_NAME

他の例については、次のコマンドを実行します。

  gcloud scc findings create --help

Python

import datetime

from google.cloud import securitycenter
from google.cloud.securitycenter_v1 import Finding

# Create a new client.
client = securitycenter.SecurityCenterClient()

# Use the current time as the finding "event time".
event_time = datetime.datetime.now(tz=datetime.timezone.utc)

# 'source_name' is the resource path for a source that has been
# created previously (you can use list_sources to find a specific one).
# Its format is:
# source_name = "organizations/{organization_id}/sources/{source_id}"
# e.g.:
# source_name = "organizations/111122222444/sources/1234"

# The resource this finding applies to.  The CSCC UI can link
# the findings for a resource to the corresponding Asset of a resource
# if there are matches.
resource_name = "//cloudresourcemanager.googleapis.com/organizations/11232"

finding = Finding(
    state=Finding.State.ACTIVE,
    resource_name=resource_name,
    category="MEDIUM_RISK_ONE",
    event_time=event_time,
)

# Call The API.
created_finding = client.create_finding(
    request={"parent": source_name, "finding_id": finding_id, "finding": finding}
)
print(created_finding)

Java

static Finding createFinding(SourceName sourceName, String findingId) {
  try (SecurityCenterClient client = SecurityCenterClient.create()) {
    // SourceName sourceName = SourceName.of(/*organization=*/"123234324",/*source=*/
    // "423432321");
    // String findingId = "samplefindingid";

    // Use the current time as the finding "event time".
    Instant eventTime = Instant.now();

    // The resource this finding applies to.  The CSCC UI can link
    // the findings for a resource to the corresponding Asset of a resource
    // if there are matches.
    String resourceName = "//cloudresourcemanager.googleapis.com/organizations/11232";

    // Start setting up a request to create a finding in a source.
    Finding finding =
        Finding.newBuilder()
            .setParent(sourceName.toString())
            .setState(State.ACTIVE)
            .setResourceName(resourceName)
            .setEventTime(
                Timestamp.newBuilder()
                    .setSeconds(eventTime.getEpochSecond())
                    .setNanos(eventTime.getNano()))
            .setCategory("MEDIUM_RISK_ONE")
            .build();

    // Call the API.
    Finding response = client.createFinding(sourceName, findingId, finding);

    System.out.println("Created Finding: " + response);
    return response;
  } catch (IOException e) {
    throw new RuntimeException("Couldn't create client.", e);
  }
}

Go

import (
	"context"
	"fmt"
	"io"
	"time"

	securitycenter "cloud.google.com/go/securitycenter/apiv1"
	"cloud.google.com/go/securitycenter/apiv1/securitycenterpb"
	"github.com/golang/protobuf/ptypes"
)

// createFinding demonstrates how to create a new security finding in CSCC.
// sourceName is the full resource name of the source the finding should
// be associated with.
func createFinding(w io.Writer, sourceName string) error {
	// sourceName := "organizations/111122222444/sources/1234"
	// Instantiate a context and a security service client to make API calls.
	ctx := context.Background()
	client, err := securitycenter.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("securitycenter.NewClient: %w", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.
	// Use now as the eventTime for the security finding.
	eventTime, err := ptypes.TimestampProto(time.Now())
	if err != nil {
		return fmt.Errorf("TimestampProto: %w", err)
	}

	req := &securitycenterpb.CreateFindingRequest{
		Parent:    sourceName,
		FindingId: "samplefindingid",
		Finding: &securitycenterpb.Finding{
			State: securitycenterpb.Finding_ACTIVE,
			// Resource the finding is associated with. This is an
			// example any resource identifier can be used.
			ResourceName: "//cloudresourcemanager.googleapis.com/organizations/11232",
			// A free-form category.
			Category: "MEDIUM_RISK_ONE",
			// The time associated with discovering the issue.
			EventTime: eventTime,
		},
	}
	finding, err := client.CreateFinding(ctx, req)
	if err != nil {
		return fmt.Errorf("CreateFinding: %w", err)
	}
	fmt.Fprintf(w, "New finding created: %s\n", finding.Name)
	fmt.Fprintf(w, "Event time (Epoch Seconds): %d\n", eventTime.Seconds)
	return nil
}

Node.js

// Imports the Google Cloud client library.
const {SecurityCenterClient} = require('@google-cloud/security-center');

// Creates a new client.
const client = new SecurityCenterClient();
// sourceName is the full resource name of the source the finding should
// be associated with.
/*
 * TODO(developer): Uncomment the following lines
 */
// const sourceName = "organizations/111122222444/sources/1234";

// Use now as the eventTime for the security finding.
const eventTime = new Date();
async function createFinding() {
  const [newFinding] = await client.createFinding({
    parent: sourceName,
    findingId: 'samplefindingid',
    finding: {
      state: 'ACTIVE',
      // Resource the finding is associated with.  This is an
      // example any resource identifier can be used.
      resourceName:
        '//cloudresourcemanager.googleapis.com/organizations/11232',
      // A free-form category.
      category: 'MEDIUM_RISK_ONE',
      // The time associated with discovering the issue.
      eventTime: {
        seconds: Math.floor(eventTime.getTime() / 1000),
        nanos: (eventTime.getTime() % 1000) * 1e6,
      },
    },
  });
  console.log('New finding created: %j', newFinding);
}
await createFinding();

検出結果のデータが Security Command Center に保存される期間については、検出結果の保持をご覧ください。

ソースプロパティを使用して知見を作成する

Security Command Center では、「ソースプロパティ」と呼ばれる Key-Value メタデータを使用して、コンテキストを知見に追加できます。ソースプロパティは作成時に初期化できます。以下の例は、ソースプロパティを使用して知見を作成する方法を示しています。

ソースプロパティを使用して知見を作成します。source_properties マップ内のキー名の長さは 1〜255 文字で、文字で始まり、英数字またはアンダースコアのみを含む必要があります。Security Command Center は、ブール値、数値、文字列の値のみをサポートしています。

gcloud

  # ORGANIZATION=12344321
  # SOURCE=43211234
  # FINDING_ID=testfindingid
  # EVENT_TIME follows the format YYYY-MM-DDThh:mm:ss.ffffffZ
  EVENT_TIME=2019-02-28T07:00:06.861Z
  STATE=ACTIVE
  CATEGORY=MEDIUM_RISK_ONE
  SOURCE_PROPERTY_KEY=gcloud_client_test
  SOURCE_PROPERTY_VALUE=value
  RESOURCE_NAME=//cloudresourcemanager.googleapis.com/projects/PROJECT_ID

  gcloud scc findings create $FINDING_ID \
      --source $SOURCE \
      --organization $ORGANIZATION \
      --state $STATE \
      --category $CATEGORY \
      --event-time $EVENT_TIME \
      --source-properties $SOURCE_PROPERTY_KEY=$SOURCE_PROPERTY_VALUE
      --resource-name $RESOURCE_NAME

Key-Value ペアのカンマ区切りリストを使用して、さらにソースプロパティを追加できます。

他の例については、次のコマンドを実行します。

  gcloud scc findings create --help

Python

import datetime

from google.cloud import securitycenter
from google.cloud.securitycenter_v1 import Finding
from google.protobuf.struct_pb2 import Value

# Create a new client.
client = securitycenter.SecurityCenterClient()

# 'source_name' is the resource path for a source that has been
# created previously (you can use list_sources to find a specific one).
# Its format is:
# source_name = "organizations/{organization_id}/sources/{source_id}"
# e.g.:
# source_name = "organizations/111122222444/sources/1234"

# Controlled by caller.
finding_id = "samplefindingid2"

# The resource this finding applies to.  The CSCC UI can link
# the findings for a resource to the corresponding Asset of a resource
# if there are matches.
resource_name = "//cloudresourcemanager.googleapis.com/organizations/11232"

# Define source properties values as protobuf "Value" objects.
str_value = Value()
str_value.string_value = "string_example"
num_value = Value()
num_value.number_value = 1234

# Use the current time as the finding "event time".
event_time = datetime.datetime.now(tz=datetime.timezone.utc)

finding = Finding(
    state=Finding.State.ACTIVE,
    resource_name=resource_name,
    category="MEDIUM_RISK_ONE",
    source_properties={"s_value": "string_example", "n_value": 1234},
    event_time=event_time,
)

created_finding = client.create_finding(
    request={"parent": source_name, "finding_id": finding_id, "finding": finding}
)
print(created_finding)

Java

static Finding createFindingWithSourceProperties(SourceName sourceName) {
  try (SecurityCenterClient client = SecurityCenterClient.create()) {
    // SourceName sourceName = SourceName.of(/*organization=*/"123234324",/*source=*/
    // "423432321");

    // Use the current time as the finding "event time".
    Instant eventTime = Instant.now();

    // Controlled by caller.
    String findingId = "samplefindingid2";

    // The resource this finding applies to.  The CSCC UI can link
    // the findings for a resource to the corresponding Asset of a resource
    // if there are matches.
    String resourceName = "//cloudresourcemanager.googleapis.com/organizations/11232";

    // Define source properties values as protobuf "Value" objects.
    Value stringValue = Value.newBuilder().setStringValue("stringExample").build();
    Value numValue = Value.newBuilder().setNumberValue(1234).build();
    ImmutableMap<String, Value> sourceProperties =
        ImmutableMap.of("stringKey", stringValue, "numKey", numValue);

    // Start setting up a request to create a finding in a source.
    Finding finding =
        Finding.newBuilder()
            .setParent(sourceName.toString())
            .setState(State.ACTIVE)
            .setResourceName(resourceName)
            .setEventTime(
                Timestamp.newBuilder()
                    .setSeconds(eventTime.getEpochSecond())
                    .setNanos(eventTime.getNano()))
            .putAllSourceProperties(sourceProperties)
            .build();

    // Call the API.
    Finding response = client.createFinding(sourceName, findingId, finding);

    System.out.println("Created Finding with Source Properties: " + response);
    return response;
  } catch (IOException e) {
    throw new RuntimeException("Couldn't create client.", e);
  }
}

Go

import (
	"context"
	"fmt"
	"io"
	"time"

	securitycenter "cloud.google.com/go/securitycenter/apiv1"
	"cloud.google.com/go/securitycenter/apiv1/securitycenterpb"
	"github.com/golang/protobuf/ptypes"
	structpb "github.com/golang/protobuf/ptypes/struct"
)

// createFindingWithProperties demonstrates how to create a new security
// finding in CSCC that includes additional metadata via sourceProperties.
// sourceName is the full resource name of the source the finding should be
// associated with.
func createFindingWithProperties(w io.Writer, sourceName string) error {
	// sourceName := "organizations/111122222444/sources/1234"
	// Instantiate a context and a security service client to make API calls.
	ctx := context.Background()
	client, err := securitycenter.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("securitycenter.NewClient: %w", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.
	// Use now as the eventTime for the security finding.
	eventTime, err := ptypes.TimestampProto(time.Now())
	if err != nil {
		return fmt.Errorf("TimestampProto: %w", err)
	}

	req := &securitycenterpb.CreateFindingRequest{
		Parent:    sourceName,
		FindingId: "samplefindingprops",
		Finding: &securitycenterpb.Finding{
			State: securitycenterpb.Finding_ACTIVE,
			// Resource the finding is associated with.  This is an
			// example any resource identifier can be used.
			ResourceName: "//cloudresourcemanager.googleapis.com/organizations/11232",
			// A free-form category.Error converting now
			Category: "MEDIUM_RISK_ONE",
			// The time associated with discovering the issue.
			EventTime: eventTime,
			// Define key-value pair metadata to include with the finding.
			SourceProperties: map[string]*structpb.Value{
				"s_value": {
					Kind: &structpb.Value_StringValue{StringValue: "string_example"},
				},
				"n_value": {
					Kind: &structpb.Value_NumberValue{NumberValue: 1234},
				},
			},
		},
	}

	finding, err := client.CreateFinding(ctx, req)
	if err != nil {
		return fmt.Errorf("CreateFinding: %w", err)
	}
	fmt.Fprintf(w, "New finding created: %s\n", finding.Name)
	fmt.Fprintf(w, "Event time (Epoch Seconds): %d\n", eventTime.Seconds)
	fmt.Fprintf(w, "Source Properties:\n")
	for k, v := range finding.SourceProperties {
		fmt.Fprintf(w, "%s = %v\n", k, v)
	}

	return nil
}

Node.js

// Imports the Google Cloud client library.
const {SecurityCenterClient} = require('@google-cloud/security-center');

// Creates a new client.
const client = new SecurityCenterClient();
// sourceName is the full resource name of the source the finding should
// be associated with.
/*
 * TODO(developer): Uncomment the following lines
 */
// const sourceName = "organizations/111122222444/sources/1234";

// Use now as the eventTime for the security finding.
const eventTime = new Date();
async function createFinding() {
  const [newFinding] = await client.createFinding({
    parent: sourceName,
    findingId: 'findingwithprops',
    finding: {
      state: 'ACTIVE',
      // Resource the finding is associated with.  This is an
      // example any resource identifier can be used.
      resourceName:
        '//cloudresourcemanager.googleapis.com/organizations/11232',
      // A free-form category.
      category: 'MEDIUM_RISK_ONE',
      // The time associated with discovering the issue.
      eventTime: {
        seconds: Math.floor(eventTime.getTime() / 1000),
        nanos: (eventTime.getTime() % 1000) * 1e6,
      },
      sourceProperties: {
        s_value: {stringValue: 'string_example'},
        n_value: {numberValue: 1234},
      },
    },
  });
  console.log('New finding created: %j', newFinding);
}
createFinding();

検出結果のソースプロパティの更新

次の例は、個別のソースプロパティとイベント時間を更新する方法を示しています。フィールドマスクを使用して、特定のフィールドのみを更新しています。フィールドマスクを使用しない場合は、新しい値によって、検出結果の変更可能なすべてのフィールドが置き換えられます。

新しい知見を作成する場合と同様に、source_properties マップのキー名は 1〜255 文字で、先頭は文字で始まり、英数字またはアンダースコアのみを含む必要があります。Security Command Center は、ブール値、数値、文字列の値のみをサポートしています。

gcloud

  # ORGANIZATION=12344321
  # SOURCE=43211234
  # FINDING_ID=testfindingid
  # EVENT_TIME follows the format YYYY-MM-DDThh:mm:ss.ffffffZ
  EVENT_TIME=2019-02-28T08:00:06.861Z
  SOURCE_PROPERTY_KEY=gcloud_client_test
  SOURCE_PROPERTY_VALUE=VALUE
  UPDATE_MASK=source_properties,event_time

  gcloud scc findings update $FINDING_ID \
      --source $SOURCE \
      --organization $ORGANIZATION \
      --event-time $EVENT_TIME \
      --source-properties $SOURCE_PROPERTY_KEY=$SOURCE_PROPERTY_VALUE \
      --update-mask=$UPDATE_MASK

すべての変更可能なフィールドをオーバーライドするには、--update-mask "（空）を使用します。
Key-Value ペアのカンマ区切りリストを使用して、さらにソースプロパティを追加できます。

他の例については、次のコマンドを実行します。

  gcloud scc findings update --help

Python

import datetime

from google.cloud import securitycenter
from google.cloud.securitycenter_v1 import Finding
from google.protobuf import field_mask_pb2

client = securitycenter.SecurityCenterClient()
# Only update the specific source property and event_time.  event_time
# is required for updates.
field_mask = field_mask_pb2.FieldMask(
    paths=["source_properties.s_value", "event_time"]
)

# Set the update time to Now.  This must be some time greater then the
# event_time on the original finding.
event_time = datetime.datetime.now(tz=datetime.timezone.utc)

# 'source_name' is the resource path for a source that has been
# created previously (you can use list_sources to find a specific one).
# Its format is:
# source_name = "organizations/{organization_id}/sources/{source_id}"
# e.g.:
# source_name = "organizations/111122222444/sources/1234"
finding_name = f"{source_name}/findings/samplefindingid2"
finding = Finding(
    name=finding_name,
    source_properties={"s_value": "new_string"},
    event_time=event_time,
)
updated_finding = client.update_finding(
    request={"finding": finding, "update_mask": field_mask}
)

print(
    "New Source properties: {}, Event Time {}".format(
        updated_finding.source_properties, updated_finding.event_time
    )
)

Java

static Finding updateFinding(FindingName findingName) {
  try (SecurityCenterClient client = SecurityCenterClient.create()) {
    // FindingName findingName = FindingName.of(/*organization=*/"123234324",
    // /*source=*/"423432321", /*findingId=*/"samplefindingid2");

    // Use the current time as the finding "event time".
    Instant eventTime = Instant.now();

    // Define source properties values as protobuf "Value" objects.
    Value stringValue = Value.newBuilder().setStringValue("value").build();

    FieldMask updateMask =
        FieldMask.newBuilder()
            .addPaths("event_time")
            .addPaths("source_properties.stringKey")
            .build();

    Finding finding =
        Finding.newBuilder()
            .setName(findingName.toString())
            .setEventTime(
                Timestamp.newBuilder()
                    .setSeconds(eventTime.getEpochSecond())
                    .setNanos(eventTime.getNano()))
            .putSourceProperties("stringKey", stringValue)
            .build();

    UpdateFindingRequest.Builder request =
        UpdateFindingRequest.newBuilder().setFinding(finding).setUpdateMask(updateMask);

    // Call the API.
    Finding response = client.updateFinding(request.build());

    System.out.println("Updated Finding: " + response);
    return response;
  } catch (IOException e) {
    throw new RuntimeException("Couldn't create client.", e);
  }
}

Go

import (
	"context"
	"fmt"
	"io"
	"time"

	securitycenter "cloud.google.com/go/securitycenter/apiv1"
	"cloud.google.com/go/securitycenter/apiv1/securitycenterpb"
	"github.com/golang/protobuf/ptypes"
	structpb "github.com/golang/protobuf/ptypes/struct"
	"google.golang.org/genproto/protobuf/field_mask"
)

// updateFindingSourceProperties demonstrates how to update a security finding
// in CSCC. findingName is the full resource name of the finding to update.
func updateFindingSourceProperties(w io.Writer, findingName string) error {
	// findingName := "organizations/111122222444/sources/1234/findings/findingid"
	// Instantiate a context and a security service client to make API calls.
	ctx := context.Background()
	client, err := securitycenter.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("securitycenter.NewClient: %w", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.
	// Use now as the eventTime for the security finding.
	eventTime, err := ptypes.TimestampProto(time.Now())
	if err != nil {
		return fmt.Errorf("TimestampProto: %w", err)
	}

	req := &securitycenterpb.UpdateFindingRequest{
		Finding: &securitycenterpb.Finding{
			Name:      findingName,
			EventTime: eventTime,
			SourceProperties: map[string]*structpb.Value{
				"s_value": {
					Kind: &structpb.Value_StringValue{StringValue: "new_string_example"},
				},
			},
		},
		// Needed to only update the specific source property s_value
		// and EventTime. EventTime is a required field.
		UpdateMask: &field_mask.FieldMask{
			Paths: []string{"event_time", "source_properties.s_value"},
		},
	}

	finding, err := client.UpdateFinding(ctx, req)
	if err != nil {
		return fmt.Errorf("UpdateFinding: %w", err)
	}
	fmt.Fprintf(w, "Finding updated: %s\n", finding.Name)
	fmt.Fprintf(w, "Finding state: %v\n", finding.State)
	fmt.Fprintf(w, "Event time (Epoch Seconds): %d\n", eventTime.Seconds)
	fmt.Fprintf(w, "Source Properties:\n")
	for k, v := range finding.SourceProperties {
		fmt.Fprintf(w, "%s = %v\n", k, v)
	}
	return nil
}

Node.js

// Imports the Google Cloud client library.
const {SecurityCenterClient} = require('@google-cloud/security-center');

// Creates a new client.
const client = new SecurityCenterClient();

// findingName is the full resource name of the finding to update.
/*
 * TODO(developer): Uncomment the following lines
 */
// const findingName =
// "organizations/111122222444/sources/1234/findings/findingid";

// Use now as the eventTime for the security finding.
const eventTime = new Date();
console.log(findingName);
async function updateFinding() {
  const [newFinding] = await client.updateFinding({
    updateMask: {paths: ['event_time', 'source_properties.s_value']},
    finding: {
      name: findingName,
      // The time associated with discovering the issue.
      eventTime: {
        seconds: Math.floor(eventTime.getTime() / 1000),
        nanos: (eventTime.getTime() % 1000) * 1e6,
      },
      sourceProperties: {
        s_value: {stringValue: 'new_string_example'},
      },
    },
  });
  console.log('Updated Finding: %j', newFinding);
}
updateFinding();

検出結果の状態の更新

Security Command Center には、知見の状態だけを更新する API も用意されています。この API は、知見の状態だけを更新する方法を提供するために存在します。これは、プリンシパルに状態の変更のみを許可し、知見の他の部分を変更できないようにするシンプルな API です。下記の例では、知見の状態を非アクティブに変更する方法を示します。

gcloud

  # ORGANIZATION=12344321
  # SOURCE=43211234
  # FINDING_ID=testfindingid
  # EVENT_TIME follows the format YYYY-MM-DDThh:mm:ss.ffffffZ
  EVENT_TIME=2019-02-28T09:00:06.861Z
  STATE=INACTIVE

  gcloud scc findings update $FINDING_ID \
      --source $SOURCE \
      --organization $ORGANIZATION \
      --state $STATE \
      --event-time $EVENT_TIME

他の例については、次のコマンドを実行します。

  gcloud scc findings update --help

Python

import datetime

from google.cloud import securitycenter
from google.cloud.securitycenter_v1 import Finding

# Create a client.
client = securitycenter.SecurityCenterClient()
# 'source_name' is the resource path for a source that has been
# created previously (you can use list_sources to find a specific one).
# Its format is:
# source_name = "organizations/{organization_id}/sources/{source_id}"
# e.g.:
# source_name = "organizations/111122222444/sources/1234"
finding_name = f"{source_name}/findings/samplefindingid2"

# Call the API to change the finding state to inactive as of now.
new_finding = client.set_finding_state(
    request={
        "name": finding_name,
        "state": Finding.State.INACTIVE,
        "start_time": datetime.datetime.now(tz=datetime.timezone.utc),
    }
)
print(f"New state: {new_finding.state}")

Java

static Finding setFindingState(FindingName findingName) {
  try (SecurityCenterClient client = SecurityCenterClient.create()) {
    // FindingName findingName = FindingName.of(/*organization=*/"123234324",
    // /*source=*/"423432321", /*findingId=*/"samplefindingid2");

    // Use the current time as the finding "event time".
    Instant eventTime = Instant.now();

    Finding response =
        client.setFindingState(
            findingName,
            State.INACTIVE,
            Timestamp.newBuilder()
                .setSeconds(eventTime.getEpochSecond())
                .setNanos(eventTime.getNano())
                .build());

    System.out.println("Updated Finding: " + response);
    return response;
  } catch (IOException e) {
    throw new RuntimeException("Couldn't create client.", e);
  }
}

Go

import (
	"context"
	"fmt"
	"io"
	"time"

	securitycenter "cloud.google.com/go/securitycenter/apiv1"
	"cloud.google.com/go/securitycenter/apiv1/securitycenterpb"
	"github.com/golang/protobuf/ptypes"
)

// updateFindingState demonstrates how to update a security finding's state
// in CSCC.  findingName is the full resource name of the finding to update.
func setFindingState(w io.Writer, findingName string) error {
	// findingName := "organizations/111122222444/sources/1234"
	// Instantiate a context and a security service client to make API calls.
	ctx := context.Background()
	client, err := securitycenter.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("securitycenter.NewClient: %w", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.
	// Use now as the eventTime for the security finding.
	now, err := ptypes.TimestampProto(time.Now())
	if err != nil {
		return fmt.Errorf("TimestampProto: %w", err)
	}

	req := &securitycenterpb.SetFindingStateRequest{
		Name:  findingName,
		State: securitycenterpb.Finding_INACTIVE,
		// New state is effective immediately.
		StartTime: now,
	}

	finding, err := client.SetFindingState(ctx, req)
	if err != nil {
		return fmt.Errorf("SetFindingState: %w", err)
	}

	fmt.Fprintf(w, "Finding updated: %s\n", finding.Name)
	fmt.Fprintf(w, "Finding state: %v\n", finding.State)
	fmt.Fprintf(w, "Event time (Epoch Seconds): %d\n", finding.EventTime.Seconds)

	return nil
}

Node.js

// Imports the Google Cloud client library.
const {SecurityCenterClient} = require('@google-cloud/security-center');

// Creates a new client.
const client = new SecurityCenterClient();

// findingName is the full resource name of the source the finding should
// be associated with.
/*
 * TODO(developer): Uncomment the following lines
 */
// const findingName =
// "organizations/111122222444/sources/1234/findings/findingid";
async function setFindingState() {
  const eventTime = new Date();
  const [updatedFinding] = await client.setFindingState({
    name: findingName,
    state: 'INACTIVE',
    // use now as the time when the new state takes effect.
    startTime: {
      seconds: Math.floor(eventTime.getTime() / 1000),
      nanos: (eventTime.getTime() % 1000) * 1e6,
    },
  });
  console.log('Updated Finding: %j', updatedFinding);
}
setFindingState();

検出結果の権限の確認

知見を作成または更新するには、次のいずれかの IAM 権限が必要です。

知見の作成と更新: securitycenter.findings.update。
知見の更新のみ: securitycenter.findings.setState。

ソースの検出結果を作成できない場合は、次のコードを使用して、始める前にのセクションに記載されている必要な権限がアカウントに付与されていることを確認してください。必要な権限が付与されていない場合は、セキュリティソースの作成と管理を参照して適切な IAM ポリシーを設定してください。

Python

from google.cloud import securitycenter

# Create a client.
client = securitycenter.SecurityCenterClient()
# 'source_name' is the resource path for a source that has been
# created previously (you can use list_sources to find a specific one).
# Its format is:
# source_name = "organizations/{organization_id}/sources/{source_id}"
# e.g.:
# source_name = "organizations/111122222444/sources/1234"

# Check for permssions to call create_finding or update_finding.
permission_response = client.test_iam_permissions(
    request={
        "resource": source_name,
        "permissions": ["securitycenter.findings.update"],
    }
)

print(
    "Permision to create or update findings? {}".format(
        len(permission_response.permissions) > 0
    )
)
# Check for permissions necessary to call set_finding_state.
permission_response = client.test_iam_permissions(
    request={
        "resource": source_name,
        "permissions": ["securitycenter.findings.setState"],
    }
)
print(f"Permision to update state? {len(permission_response.permissions) > 0}")

Java

static TestIamPermissionsResponse testIamPermissions(SourceName sourceName) {
  try (SecurityCenterClient client = SecurityCenterClient.create()) {
    // SourceName sourceName = SourceName.of(/*organizationId=*/"123234324",
    // /*sourceId=*/"423432321");

    // Iam permission to test.
    List<String> permissionsToTest = new ArrayList<>();
    permissionsToTest.add("securitycenter.findings.update");

    // Call the API.
    TestIamPermissionsResponse response =
        client.testIamPermissions(sourceName.toString(), permissionsToTest);
    System.out.println("IAM Permission:");
    System.out.println(response);

    return response;
  } catch (IOException e) {
    throw new RuntimeException("Couldn't create client.", e);
  }
}

Go

import (
	"context"
	"fmt"
	"io"

	iam "cloud.google.com/go/iam/apiv1/iampb"
	securitycenter "cloud.google.com/go/securitycenter/apiv1"
)

// testIam demonstrates how to determine if your service user has appropriate
// access to create and update findings, it writes permissions to w.
// sourceName is the full resource name of the source to test for permissions.
func testIam(w io.Writer, sourceName string) error {
	// sourceName := "organizations/111122222444/sources/1234"
	// Instantiate a context and a security service client to make API calls.
	ctx := context.Background()
	client, err := securitycenter.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("securitycenter.NewClient: %w", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.
	// Check for create/update Permissions.
	req := &iam.TestIamPermissionsRequest{
		Resource:    sourceName,
		Permissions: []string{"securitycenter.findings.update"},
	}

	policy, err := client.TestIamPermissions(ctx, req)
	if err != nil {
		return fmt.Errorf("Error getting IAM policy: %w", err)
	}
	fmt.Fprintf(w, "Permision to create/update findings? %t",
		len(policy.Permissions) > 0)

	// Check for updating state Permissions
	req = &iam.TestIamPermissionsRequest{
		Resource:    sourceName,
		Permissions: []string{"securitycenter.findings.setState"},
	}

	policy, err = client.TestIamPermissions(ctx, req)
	if err != nil {
		return fmt.Errorf("Error getting IAM policy: %w", err)
	}
	fmt.Fprintf(w, "Permision to update state? %t",
		len(policy.Permissions) > 0)

	return nil
}

Node.js

// Imports the Google Cloud client library.
const {SecurityCenterClient} = require('@google-cloud/security-center');

// Creates a new client.
const client = new SecurityCenterClient();

// sourceName is the full resource name of the source to test for permissions.
/*
 * TODO(developer): Uncomment the following lines
 */
// const sourceName = "organizations/111122222444/sources/1234";
async function testIam() {
  {
    const [policy] = await client.testIamPermissions({
      resource: sourceName,
      permissions: ['securitycenter.findings.update'],
    });
    console.log(
      `Permissions to create/update findings? ${
        policy.permissions.length > 0
      }`
    );
  }
  {
    const [policy] = await client.testIamPermissions({
      resource: sourceName,
      permissions: ['securitycenter.findings.setState'],
    });
    console.log(
      `Permissions to update state? ${policy.permissions.length > 0}`
    );
  }
}
testIam();

次のステップ

クライアントライブラリを使用した Security Command Center へのアクセスについて詳細を確認する。

Security Command Center API を使用して知見を管理する

始める前に

知見の作成

gcloud

Python

Java

Go

Node.js

ソース プロパティを使用して知見を作成する

gcloud

Python

Java

Go

Node.js

検出結果のソース プロパティの更新

gcloud

Python

Java

Go

Node.js

検出結果の状態の更新

gcloud

Python

Java

Go

Node.js

検出結果の権限の確認

Python

Java

Go

Node.js

次のステップ

ソースプロパティを使用して知見を作成する

検出結果のソースプロパティの更新