Gérer les résultats à l'aide de l'API Security Command Center

>

Ce guide vous explique comment créer et mettre à jour des résultats à l'aide de l'API Security Command Center.

Avant de commencer

Avant de créer et de mettre à jour des résultats, vous devez effectuer les opérations suivantes :

Pour suivre ce guide, vous devez disposer du rôle securitycenter.findingsEditor pour la source de sécurité. Pour en savoir plus, consultez les pages Contrôle des accès et Créer et gérer des sources de sécurité.

Si vous souhaitez créer des résultats avec des marques de sécurité, vous devez également disposer d'un rôle IAM qui inclut des autorisations pour le type de marque que vous souhaitez utiliser :

  • Marques d'éléments : Rédacteur de marques de sécurité d'élément, securitycenter.assetSecurityMarksWriter
  • Marques de résultats : Rédacteur de marques de sécurité de résultat, securitycenter.findingSecurityMarksWriter

Pour en savoir plus sur les marques, consultez la page Utiliser les marques de sécurité de Security Command Center.

Créer un résultat

Créez une recherche active pour une source.

gcloud

  # ORGANIZATION=12344321
  # SOURCE=43211234
  # FINDING_ID=testfindingid
  # EVENT_TIME follows the format YYYY-MM-DDThh:mm:ss.ffffffZ
  EVENT_TIME=2019-02-28T07:00:06.861Z
  STATE=ACTIVE
  CATEGORY=MEDIUM_RISK_ONE

  gcloud scc findings create $FINDING_ID \
      --source $SOURCE \
      --organization $ORGANIZATION \
      --state $STATE \
      --category $CATEGORY \
      --event-time $EVENT_TIME

Pour plus d'exemples, exécutez la commande suivante :

  gcloud scc findings create --help

Python

from google.cloud import securitycenter
from google.cloud.securitycenter_v1.proto.finding_pb2 import Finding
from google.protobuf.timestamp_pb2 import Timestamp

# Create a new client.
client = securitycenter.SecurityCenterClient()

# Use the current time as the finding "event time".
now_proto = Timestamp()
now_proto.GetCurrentTime()

# source_name is the resource path for a source that has been
# created previously (you can use list_sources to find a specific one).
# Its format is:
# source_name = "organizations/{organization_id}/sources/{source_id}"
# e.g.:
# source_name = "organizations/111122222444/sources/1234"

# Controlled by caller.
finding_id = "samplefindingid"

# The resource this finding applies to.  The CSCC UI can link
# the findings for a resource to the corresponding Asset of a resource
# if there are matches.
resource_name = "//cloudresourcemanager.googleapis.com/organizations/11232"

# Call The API.
created_finding = client.create_finding(
    source_name,
    finding_id,
    {
        "state": Finding.ACTIVE,
        "resource_name": resource_name,
        "category": "MEDIUM_RISK_ONE",
        "event_time": now_proto,
    },
)
print(created_finding)

Java

static Finding createFinding(SourceName sourceName, String findingId) {
  try (SecurityCenterClient client = SecurityCenterClient.create()) {
    // SourceName sourceName = SourceName.of(/*organization=*/"123234324",/*source=*/
    // "423432321");
    // String findingId = "samplefindingid";

    // Use the current time as the finding "event time".
    Instant eventTime = Instant.now();

    // The resource this finding applies to.  The CSCC UI can link
    // the findings for a resource to the corresponding Asset of a resource
    // if there are matches.
    String resourceName = "//cloudresourcemanager.googleapis.com/organizations/11232";

    // Start setting up a request to create a finding in a source.
    Finding finding =
        Finding.newBuilder()
            .setParent(sourceName.toString())
            .setState(State.ACTIVE)
            .setResourceName(resourceName)
            .setEventTime(
                Timestamp.newBuilder()
                    .setSeconds(eventTime.getEpochSecond())
                    .setNanos(eventTime.getNano()))
            .setCategory("MEDIUM_RISK_ONE")
            .build();

    // Call the API.
    Finding response = client.createFinding(sourceName, findingId, finding);

    System.out.println("Created Finding: " + response);
    return response;
  } catch (IOException e) {
    throw new RuntimeException("Couldn't create client.", e);
  }
}

Go

import (
	"context"
	"fmt"
	"io"
	"time"

	securitycenter "cloud.google.com/go/securitycenter/apiv1"
	"github.com/golang/protobuf/ptypes"
	securitycenterpb "google.golang.org/genproto/googleapis/cloud/securitycenter/v1"
)

// createFinding demonstrates how to create a new security finding in CSCC.
// sourceName is the full resource name of the source the finding should
// be associated with.
func createFinding(w io.Writer, sourceName string) error {
	// sourceName := "organizations/111122222444/sources/1234"
	// Instantiate a context and a security service client to make API calls.
	ctx := context.Background()
	client, err := securitycenter.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("securitycenter.NewClient: %v", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.
	// Use now as the eventTime for the security finding.
	eventTime, err := ptypes.TimestampProto(time.Now())
	if err != nil {
		return fmt.Errorf("TimestampProto: %v", err)
	}

	req := &securitycenterpb.CreateFindingRequest{
		Parent:    sourceName,
		FindingId: "samplefindingid",
		Finding: &securitycenterpb.Finding{
			State: securitycenterpb.Finding_ACTIVE,
			// Resource the finding is associated with. This is an
			// example any resource identifier can be used.
			ResourceName: "//cloudresourcemanager.googleapis.com/organizations/11232",
			// A free-form category.
			Category: "MEDIUM_RISK_ONE",
			// The time associated with discovering the issue.
			EventTime: eventTime,
		},
	}
	finding, err := client.CreateFinding(ctx, req)
	if err != nil {
		return fmt.Errorf("CreateFinding: %v", err)
	}
	fmt.Fprintf(w, "New finding created: %s\n", finding.Name)
	fmt.Fprintf(w, "Event time (Epoch Seconds): %d\n", eventTime.Seconds)
	return nil
}

Node.js

// Imports the Google Cloud client library.
const {SecurityCenterClient} = require('@google-cloud/security-center');

// Creates a new client.
const client = new SecurityCenterClient();
// sourceName is the full resource name of the source the finding should
// be associated with.
/*
 * TODO(developer): Uncomment the following lines
 */
// const sourceName = "organizations/111122222444/sources/1234";

// Use now as the eventTime for the security finding.
const eventTime = new Date();
async function createFinding() {
  const [newFinding] = await client.createFinding({
    parent: sourceName,
    findingId: 'samplefindingid',
    finding: {
      state: 'ACTIVE',
      // Resource the finding is associated with.  This is an
      // example any resource identifier can be used.
      resourceName:
        '//cloudresourcemanager.googleapis.com/organizations/11232',
      // A free-form category.
      category: 'MEDIUM_RISK_ONE',
      // The time associated with discovering the issue.
      eventTime: {
        seconds: Math.floor(eventTime.getTime() / 1000),
        nanos: (eventTime.getTime() % 1000) * 1e6,
      },
    },
  });
  console.log('New finding created: %j', newFinding);
}
createFinding();

Créer un résultat avec des propriétés sources

Security Command Center permet aux sources d'ajouter du contexte aux résultats par le biais de métadonnées clé-valeur appelées "propriétés sources". Les propriétés sources peuvent être initialisées au moment de la création. L'exemple ci-dessous montre comment créer un résultat avec des propriétés sources.

Créez un résultat avec des propriétés sources. La longueur des noms de clé dans la carte source_properties doit comporter entre 1 et 255 caractères. Elle doit commencer par une lettre et ne contenir que des caractères alphanumériques ou des traits de soulignement. Security Command Center n'accepte que les valeurs booléennes, de nombre et de chaîne.

gcloud

  # ORGANIZATION=12344321
  # SOURCE=43211234
  # FINDING_ID=testfindingid
  # EVENT_TIME follows the format YYYY-MM-DDThh:mm:ss.ffffffZ
  EVENT_TIME=2019-02-28T07:00:06.861Z
  STATE=ACTIVE
  CATEGORY=MEDIUM_RISK_ONE
  SOURCE_PROPERTY_KEY=gcloud_client_test
  SOURCE_PROPERTY_VALUE=value

  gcloud scc findings create $FINDING_ID \
      --source $SOURCE \
      --organization $ORGANIZATION \
      --state $STATE \
      --category $CATEGORY \
      --event-time $EVENT_TIME \
      --source-properties $SOURCE_PROPERTY_KEY=$SOURCE_PROPERTY_VALUE
  • Vous pouvez ajouter d'autres propriétés sources à l'aide d'une liste de paires clé-valeur séparées par une virgule.

Pour plus d'exemples, exécutez la commande suivante :

  gcloud scc findings create --help

Python

from google.cloud import securitycenter
from google.cloud.securitycenter_v1.proto.finding_pb2 import Finding
from google.protobuf.timestamp_pb2 import Timestamp
from google.protobuf.struct_pb2 import Value

# Create a new client.
client = securitycenter.SecurityCenterClient()

# source_name is the resource path for a source that has been
# created previously (you can use list_sources to find a specific one).
# Its format is:
# source_name = "organizations/{organization_id}/sources/{source_id}"
# e.g.:
# source_name = "organizations/111122222444/sources/1234"

# Controlled by caller.
finding_id = "samplefindingid2"

# The resource this finding applies to.  The CSCC UI can link
# the findings for a resource to the corresponding Asset of a resource
# if there are matches.
resource_name = "//cloudresourcemanager.googleapis.com/organizations/11232"

# Define source properties values as protobuf "Value" objects.
str_value = Value()
str_value.string_value = "string_example"
num_value = Value()
num_value.number_value = 1234

# Use the current time as the finding "event time".
now_proto = Timestamp()
now_proto.GetCurrentTime()

created_finding = client.create_finding(
    source_name,
    finding_id,
    {
        "state": Finding.ACTIVE,
        "resource_name": resource_name,
        "category": "MEDIUM_RISK_ONE",
        "source_properties": {"s_value": str_value, "n_value": num_value},
        "event_time": now_proto,
    },
)
print(created_finding)

Java

static Finding createFindingWithSourceProperties(SourceName sourceName) {
  try (SecurityCenterClient client = SecurityCenterClient.create()) {
    // SourceName sourceName = SourceName.of(/*organization=*/"123234324",/*source=*/
    // "423432321");

    // Use the current time as the finding "event time".
    Instant eventTime = Instant.now();

    // Controlled by caller.
    String findingId = "samplefindingid2";

    // The resource this finding applies to.  The CSCC UI can link
    // the findings for a resource to the corresponding Asset of a resource
    // if there are matches.
    String resourceName = "//cloudresourcemanager.googleapis.com/organizations/11232";

    // Define source properties values as protobuf "Value" objects.
    Value stringValue = Value.newBuilder().setStringValue("stringExample").build();
    Value numValue = Value.newBuilder().setNumberValue(1234).build();
    ImmutableMap<String, Value> sourceProperties =
        ImmutableMap.of("stringKey", stringValue, "numKey", numValue);

    // Start setting up a request to create a finding in a source.
    Finding finding =
        Finding.newBuilder()
            .setParent(sourceName.toString())
            .setState(State.ACTIVE)
            .setResourceName(resourceName)
            .setEventTime(
                Timestamp.newBuilder()
                    .setSeconds(eventTime.getEpochSecond())
                    .setNanos(eventTime.getNano()))
            .putAllSourceProperties(sourceProperties)
            .build();

    // Call the API.
    Finding response = client.createFinding(sourceName, findingId, finding);

    System.out.println("Created Finding with Source Properties: " + response);
    return response;
  } catch (IOException e) {
    throw new RuntimeException("Couldn't create client.", e);
  }
}

Go

import (
	"context"
	"fmt"
	"io"
	"time"

	securitycenter "cloud.google.com/go/securitycenter/apiv1"
	"github.com/golang/protobuf/ptypes"
	structpb "github.com/golang/protobuf/ptypes/struct"
	securitycenterpb "google.golang.org/genproto/googleapis/cloud/securitycenter/v1"
)

// createFindingWithProperties demonstrates how to create a new security
// finding in CSCC that includes additional metadata via sourceProperties.
// sourceName is the full resource name of the source the finding should be
// associated with.
func createFindingWithProperties(w io.Writer, sourceName string) error {
	// sourceName := "organizations/111122222444/sources/1234"
	// Instantiate a context and a security service client to make API calls.
	ctx := context.Background()
	client, err := securitycenter.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("securitycenter.NewClient: %v", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.
	// Use now as the eventTime for the security finding.
	eventTime, err := ptypes.TimestampProto(time.Now())
	if err != nil {
		return fmt.Errorf("TimestampProto: %v", err)
	}

	req := &securitycenterpb.CreateFindingRequest{
		Parent:    sourceName,
		FindingId: "samplefindingprops",
		Finding: &securitycenterpb.Finding{
			State: securitycenterpb.Finding_ACTIVE,
			// Resource the finding is associated with.  This is an
			// example any resource identifier can be used.
			ResourceName: "//cloudresourcemanager.googleapis.com/organizations/11232",
			// A free-form category.Error converting now
			Category: "MEDIUM_RISK_ONE",
			// The time associated with discovering the issue.
			EventTime: eventTime,
			// Define key-value pair metadata to include with the finding.
			SourceProperties: map[string]*structpb.Value{
				"s_value": {
					Kind: &structpb.Value_StringValue{StringValue: "string_example"},
				},
				"n_value": {
					Kind: &structpb.Value_NumberValue{NumberValue: 1234},
				},
			},
		},
	}

	finding, err := client.CreateFinding(ctx, req)
	if err != nil {
		return fmt.Errorf("CreateFinding: %v", err)
	}
	fmt.Fprintf(w, "New finding created: %s\n", finding.Name)
	fmt.Fprintf(w, "Event time (Epoch Seconds): %d\n", eventTime.Seconds)
	fmt.Fprintf(w, "Source Properties:\n")
	for k, v := range finding.SourceProperties {
		fmt.Fprintf(w, "%s = %v\n", k, v)
	}

	return nil
}

Node.js

// Imports the Google Cloud client library.
const {SecurityCenterClient} = require('@google-cloud/security-center');

// Creates a new client.
const client = new SecurityCenterClient();
// sourceName is the full resource name of the source the finding should
// be associated with.
/*
 * TODO(developer): Uncomment the following lines
 */
// const sourceName = "organizations/111122222444/sources/1234";

// Use now as the eventTime for the security finding.
const eventTime = new Date();
async function createFinding() {
  const [newFinding] = await client.createFinding({
    parent: sourceName,
    findingId: 'findingwithprops',
    finding: {
      state: 'ACTIVE',
      // Resource the finding is associated with.  This is an
      // example any resource identifier can be used.
      resourceName:
        '//cloudresourcemanager.googleapis.com/organizations/11232',
      // A free-form category.
      category: 'MEDIUM_RISK_ONE',
      // The time associated with discovering the issue.
      eventTime: {
        seconds: Math.floor(eventTime.getTime() / 1000),
        nanos: (eventTime.getTime() % 1000) * 1e6,
      },
      sourceProperties: {
        s_value: {stringValue: 'string_example'},
        n_value: {numberValue: 1234},
      },
    },
  });
  console.log('New finding created: %j', newFinding);
}
createFinding();

Mettre à jour les propriétés sources d'un résultat

Cet exemple montre comment mettre à jour des propriétés sources individuelles et l'heure de l'événement. Il utilise des masques de champ pour ne mettre à jour que certains champs. Sans masque de champ, les nouvelles valeurs remplacent tous les champs modifiables dans la recherche.

Comme pour la création d'un résultat, les noms de clés dans la carte source_properties doivent contenir entre 1 et 255 caractères et doivent commencer par une lettre et ne contenir que des caractères alphanumériques ou des traits de soulignement. Security Command Center n'accepte que les valeurs booléennes, de nombre et de chaîne.

gcloud

  # ORGANIZATION=12344321
  # SOURCE=43211234
  # FINDING_ID=testfindingid
  # EVENT_TIME follows the format YYYY-MM-DDThh:mm:ss.ffffffZ
  EVENT_TIME=2019-02-28T08:00:06.861Z
  SOURCE_PROPERTY_KEY=gcloud_client_test
  SOURCE_PROPERTY_VALUE=VALUE
  UPDATE_MASK=source_properties,event_time

  gcloud scc findings update $FINDING_ID \
      --source $SOURCE \
      --organization $ORGANIZATION \
      --event-time $EVENT_TIME \
      --source-properties $SOURCE_PROPERTY_KEY=$SOURCE_PROPERTY_VALUE \
      --update-mask=$UPDATE_MASK
  • Utilisez --update-mask '' (empty) pour remplacer tous les champs modifiables.
  • Vous pouvez ajouter d'autres propriétés sources à l'aide d'une liste de paires clé-valeur séparées par une virgule.

Pour plus d'exemples, exécutez la commande suivante :

  gcloud scc findings update --help

Python

from google.cloud import securitycenter
from google.protobuf.struct_pb2 import Value
from google.protobuf import field_mask_pb2
from google.protobuf.timestamp_pb2 import Timestamp

client = securitycenter.SecurityCenterClient()
# Only update the specific source property and event_time.  event_time
# is required for updates.
field_mask = field_mask_pb2.FieldMask(
    paths=["source_properties.s_value", "event_time"]
)
value = Value()
value.string_value = "new_string"

# Set the update time to Now.  This must be some time greater then the
# event_time on the original finding.
now_proto = Timestamp()
now_proto.GetCurrentTime()

# source_name is the resource path for a source that has been
# created previously (you can use list_sources to find a specific one).
# Its format is:
# source_name = "organizations/{organization_id}/sources/{source_id}"
# e.g.:
# source_name = "organizations/111122222444/sources/1234"
finding_name = "{}/findings/samplefindingid2".format(source_name)
updated_finding = client.update_finding(
    {
        "name": finding_name,
        "source_properties": {"s_value": value},
        "event_time": now_proto,
    },
    update_mask=field_mask,
)

print(
    "New Source properties: {}, Event Time {}".format(
        updated_finding.source_properties, updated_finding.event_time.ToDatetime()
    )
)

Java

static Finding updateFinding(FindingName findingName) {
  try (SecurityCenterClient client = SecurityCenterClient.create()) {
    // FindingName findingName = FindingName.of(/*organization=*/"123234324",
    // /*source=*/"423432321", /*findingId=*/"samplefindingid2");

    // Use the current time as the finding "event time".
    Instant eventTime = Instant.now();

    // Define source properties values as protobuf "Value" objects.
    Value stringValue = Value.newBuilder().setStringValue("value").build();

    FieldMask updateMask =
        FieldMask.newBuilder()
            .addPaths("event_time")
            .addPaths("source_properties.stringKey")
            .build();

    Finding finding =
        Finding.newBuilder()
            .setName(findingName.toString())
            .setEventTime(
                Timestamp.newBuilder()
                    .setSeconds(eventTime.getEpochSecond())
                    .setNanos(eventTime.getNano()))
            .putSourceProperties("stringKey", stringValue)
            .build();

    UpdateFindingRequest.Builder request =
        UpdateFindingRequest.newBuilder().setFinding(finding).setUpdateMask(updateMask);

    // Call the API.
    Finding response = client.updateFinding(request.build());

    System.out.println("Updated Finding: " + response);
    return response;
  } catch (IOException e) {
    throw new RuntimeException("Couldn't create client.", e);
  }
}

Go

import (
	"context"
	"fmt"
	"io"
	"time"

	securitycenter "cloud.google.com/go/securitycenter/apiv1"
	"github.com/golang/protobuf/ptypes"
	structpb "github.com/golang/protobuf/ptypes/struct"
	securitycenterpb "google.golang.org/genproto/googleapis/cloud/securitycenter/v1"
	"google.golang.org/genproto/protobuf/field_mask"
)

// updateFindingSourceProperties demonstrates how to update a security finding
// in CSCC. findingName is the full resource name of the finding to update.
func updateFindingSourceProperties(w io.Writer, findingName string) error {
	// findingName := "organizations/111122222444/sources/1234/findings/findingid"
	// Instantiate a context and a security service client to make API calls.
	ctx := context.Background()
	client, err := securitycenter.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("securitycenter.NewClient: %v", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.
	// Use now as the eventTime for the security finding.
	eventTime, err := ptypes.TimestampProto(time.Now())
	if err != nil {
		return fmt.Errorf("TimestampProto: %v", err)
	}

	req := &securitycenterpb.UpdateFindingRequest{
		Finding: &securitycenterpb.Finding{
			Name:      findingName,
			EventTime: eventTime,
			SourceProperties: map[string]*structpb.Value{
				"s_value": {
					Kind: &structpb.Value_StringValue{StringValue: "new_string_example"},
				},
			},
		},
		// Needed to only update the specific source property s_value
		// and EventTime. EventTime is a required field.
		UpdateMask: &field_mask.FieldMask{
			Paths: []string{"event_time", "source_properties.s_value"},
		},
	}

	finding, err := client.UpdateFinding(ctx, req)
	if err != nil {
		return fmt.Errorf("UpdateFinding: %v", err)
	}
	fmt.Fprintf(w, "Finding updated: %s\n", finding.Name)
	fmt.Fprintf(w, "Finding state: %v\n", finding.State)
	fmt.Fprintf(w, "Event time (Epoch Seconds): %d\n", eventTime.Seconds)
	fmt.Fprintf(w, "Source Properties:\n")
	for k, v := range finding.SourceProperties {
		fmt.Fprintf(w, "%s = %v\n", k, v)
	}
	return nil
}

Node.js

// Imports the Google Cloud client library.
const {SecurityCenterClient} = require('@google-cloud/security-center');

// Creates a new client.
const client = new SecurityCenterClient();

// findingName is the full resource name of the finding to update.
/*
 * TODO(developer): Uncomment the following lines
 */
// const findingName =
// "organizations/111122222444/sources/1234/findings/findingid";

// Use now as the eventTime for the security finding.
const eventTime = new Date();
console.log(findingName);
async function updateFinding() {
  const [newFinding] = await client.updateFinding({
    updateMask: {paths: ['event_time', 'source_properties.s_value']},
    finding: {
      name: findingName,
      // The time associated with discovering the issue.
      eventTime: {
        seconds: Math.floor(eventTime.getTime() / 1000),
        nanos: (eventTime.getTime() % 1000) * 1e6,
      },
      sourceProperties: {
        s_value: {stringValue: 'new_string_example'},
      },
    },
  });
  console.log('Updated Finding: %j', newFinding);
}
updateFinding();

Mettre à jour l'état d'un résultat

Security Command Center fournit également une API permettant de ne mettre à jour que l'état d'un résultat. Cette API fournit une solution de mise à jour d'un résultat uniquement. Il s'agit d'une API simple qui permet aux entités principales de ne modifier que l'état d'un résultat et aucun autre de ses aspects. L'exemple ci-dessous montre comment définir l'état d'un résultat sur "inactif".

gcloud

  # ORGANIZATION=12344321
  # SOURCE=43211234
  # FINDING_ID=testfindingid
  # EVENT_TIME follows the format YYYY-MM-DDThh:mm:ss.ffffffZ
  EVENT_TIME=2019-02-28T09:00:06.861Z
  STATE=INACTIVE

  gcloud scc findings update $FINDING_ID \
      --source $SOURCE \
      --organization $ORGANIZATION \
      --state $STATE \
      --event-time $EVENT_TIME

Pour plus d'exemples, exécutez la commande suivante :

  gcloud scc findings update --help

Python

from google.cloud import securitycenter
from google.cloud.securitycenter_v1.proto.finding_pb2 import Finding
from google.protobuf.timestamp_pb2 import Timestamp

# Create a client.
client = securitycenter.SecurityCenterClient()
# source_name is the resource path for a source that has been
# created previously (you can use list_sources to find a specific one).
# Its format is:
# source_name = "organizations/{organization_id}/sources/{source_id}"
# e.g.:
# source_name = "organizations/111122222444/sources/1234"
finding_name = "{}/findings/samplefindingid2".format(source_name)

now_proto = Timestamp()
now_proto.GetCurrentTime()

# Call the API to change the finding state to inactive as of now.
new_finding = client.set_finding_state(
    finding_name, Finding.INACTIVE, start_time=now_proto
)
print("New state: {}".format(Finding.State.Name(new_finding.state)))

Java

static Finding setFindingState(FindingName findingName) {
  try (SecurityCenterClient client = SecurityCenterClient.create()) {
    // FindingName findingName = FindingName.of(/*organization=*/"123234324",
    // /*source=*/"423432321", /*findingId=*/"samplefindingid2");

    // Use the current time as the finding "event time".
    Instant eventTime = Instant.now();

    Finding response =
        client.setFindingState(
            findingName,
            State.INACTIVE,
            Timestamp.newBuilder()
                .setSeconds(eventTime.getEpochSecond())
                .setNanos(eventTime.getNano())
                .build());

    System.out.println("Updated Finding: " + response);
    return response;
  } catch (IOException e) {
    throw new RuntimeException("Couldn't create client.", e);
  }
}

Go

import (
	"context"
	"fmt"
	"io"
	"time"

	securitycenter "cloud.google.com/go/securitycenter/apiv1"
	"github.com/golang/protobuf/ptypes"
	securitycenterpb "google.golang.org/genproto/googleapis/cloud/securitycenter/v1"
)

// updateFindingState demonstrates how to update a security finding's state
// in CSCC.  findingName is the full resource name of the finding to update.
func setFindingState(w io.Writer, findingName string) error {
	// findingName := "organizations/111122222444/sources/1234"
	// Instantiate a context and a security service client to make API calls.
	ctx := context.Background()
	client, err := securitycenter.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("securitycenter.NewClient: %v", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.
	// Use now as the eventTime for the security finding.
	now, err := ptypes.TimestampProto(time.Now())
	if err != nil {
		return fmt.Errorf("TimestampProto: %v", err)
	}

	req := &securitycenterpb.SetFindingStateRequest{
		Name:  findingName,
		State: securitycenterpb.Finding_INACTIVE,
		// New state is effective immediately.
		StartTime: now,
	}

	finding, err := client.SetFindingState(ctx, req)
	if err != nil {
		return fmt.Errorf("SetFindingState: %v", err)
	}

	fmt.Fprintf(w, "Finding updated: %s\n", finding.Name)
	fmt.Fprintf(w, "Finding state: %v\n", finding.State)
	fmt.Fprintf(w, "Event time (Epoch Seconds): %d\n", finding.EventTime.Seconds)

	return nil
}

Node.js

// Imports the Google Cloud client library.
const {SecurityCenterClient} = require('@google-cloud/security-center');

// Creates a new client.
const client = new SecurityCenterClient();

// findingName is the full resource name of the source the finding should
// be associated with.
/*
 * TODO(developer): Uncomment the following lines
 */
// const findingName =
// "organizations/111122222444/sources/1234/findings/findingid";
async function setFindingState() {
  const eventTime = new Date();
  const [updatedFinding] = await client.setFindingState({
    name: findingName,
    state: 'INACTIVE',
    // use now as the time when the new state takes effect.
    startTime: {
      seconds: Math.floor(eventTime.getTime() / 1000),
      nanos: (eventTime.getTime() % 1000) * 1e6,
    },
  });
  console.log('Updated Finding: %j', updatedFinding);
}
setFindingState();

Vérifier les autorisations de résultats

La création et la mise à jour des résultats nécessitent l'une des autorisations IAM suivantes :

  • Création et mise à jour des résultats : securitycenter.findings.update.
  • Mise à jour des résultats uniquement : securitycenter.findings.setState.

Si vous ne pouvez pas créer de résultats pour une source, utilisez le code suivant pour vérifier que votre compte dispose des autorisations requises indiquées dans la section Avant de commencer. Si vous ne disposez pas des autorisations nécessaires, consultez la page Créer et gérer des sources de sécurité pour configurer les stratégies IAM appropriées.

Python

from google.cloud import securitycenter

# Create a client.
client = securitycenter.SecurityCenterClient()
# source_name is the resource path for a source that has been
# created previously (you can use list_sources to find a specific one).
# Its format is:
# source_name = "organizations/{organization_id}/sources/{source_id}"
# e.g.:
# source_name = "organizations/111122222444/sources/1234"

# Check for permssions to call create_finding or update_finding.
permission_response = client.test_iam_permissions(
    source_name, ["securitycenter.findings.update"]
)

print(
    "Permision to create or update findings? {}".format(
        len(permission_response.permissions) > 0
    )
)
# Check for permissions necessary to call set_finding_state.
permission_response = client.test_iam_permissions(
    source_name, ["securitycenter.findings.setState"]
)
print(
    "Permision to update state? {}".format(len(permission_response.permissions) > 0)
)

Java

static TestIamPermissionsResponse testIamPermissions(SourceName sourceName) {
  try (SecurityCenterClient client = SecurityCenterClient.create()) {
    // SourceName sourceName = SourceName.of(/*organizationId=*/"123234324",
    // /*sourceId=*/"423432321");

    // Iam permission to test.
    List<String> permissionsToTest = new ArrayList<>();
    permissionsToTest.add("securitycenter.findings.update");

    // Call the API.
    TestIamPermissionsResponse response =
        client.testIamPermissions(sourceName.toString(), permissionsToTest);
    System.out.println("IAM Permission:");
    System.out.println(response);

    return response;
  } catch (IOException e) {
    throw new RuntimeException("Couldn't create client.", e);
  }
}

Go

import (
	"context"
	"fmt"
	"io"

	securitycenter "cloud.google.com/go/securitycenter/apiv1"
	iam "google.golang.org/genproto/googleapis/iam/v1"
)

// testIam demonstrates how to determine if your service user has appropriate
// access to create and update findings, it writes permissions to w.
// sourceName is the full resource name of the source to test for permissions.
func testIam(w io.Writer, sourceName string) error {
	// sourceName := "organizations/111122222444/sources/1234"
	// Instantiate a context and a security service client to make API calls.
	ctx := context.Background()
	client, err := securitycenter.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("securitycenter.NewClient: %v", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.
	// Check for create/update Permissions.
	req := &iam.TestIamPermissionsRequest{
		Resource:    sourceName,
		Permissions: []string{"securitycenter.findings.update"},
	}

	policy, err := client.TestIamPermissions(ctx, req)
	if err != nil {
		return fmt.Errorf("Error getting IAM policy: %v", err)
	}
	fmt.Fprintf(w, "Permision to create/update findings? %t",
		len(policy.Permissions) > 0)

	// Check for updating state Permissions
	req = &iam.TestIamPermissionsRequest{
		Resource:    sourceName,
		Permissions: []string{"securitycenter.findings.setState"},
	}

	policy, err = client.TestIamPermissions(ctx, req)
	if err != nil {
		return fmt.Errorf("Error getting IAM policy: %v", err)
	}
	fmt.Fprintf(w, "Permision to update state? %t",
		len(policy.Permissions) > 0)

	return nil
}

Node.js

// Imports the Google Cloud client library.
const {SecurityCenterClient} = require('@google-cloud/security-center');

// Creates a new client.
const client = new SecurityCenterClient();

// sourceName is the full resource name of the source to test for permissions.
/*
 * TODO(developer): Uncomment the following lines
 */
// const sourceName = "organizations/111122222444/sources/1234";
async function testIam() {
  {
    const [policy] = await client.testIamPermissions({
      resource: sourceName,
      permissions: ['securitycenter.findings.update'],
    });
    console.log(
      `Permissions to create/update findings? ${
        policy.permissions.length > 0
      }`
    );
  }
  {
    const [policy] = await client.testIamPermissions({
      resource: sourceName,
      permissions: ['securitycenter.findings.setState'],
    });
    console.log(
      `Permissions to update state? ${policy.permissions.length > 0}`
    );
  }
}
testIam();