Method: organizations.sources.findings.group

Filters an organization or source's findings and groups them by their specified properties.

To group across all sources provide a - as the source id. Example: /v1beta1/organizations/{organization_id}/sources/-/findings

HTTP request


The URLs use gRPC Transcoding syntax.

Path parameters

Parameters
parent

string

Required. Name of the source to groupBy. Its format is "organizations/[organization_id]/sources/[source_id]". To groupBy across all sources provide a source_id of -. For example: organizations/{organization_id}/sources/-

Request body

The request body contains data with the following structure:

JSON representation 
{
  "filter": string,
  "groupBy": string,
  "readTime": string,
  "pageToken": string,
  "pageSize": integer
}
Fields
filter

string

Expression that defines the filter to apply across findings. The expression is a list of one or more restrictions combined via logical operators AND and OR. Parentheses are not supported, and OR has higher precedence than AND.

Restrictions have the form <field> <operator> <value> and may have a - character in front of them to indicate negation. Examples include:

  • name
  • sourceProperties.a_property
  • securityMarks.marks.marka

The supported operators are:

  • = for all value types.
  • >, <, >=, <= for integer values.
  • :, meaning substring matching, for strings.

The supported value types are:

  • string literals in quotes.
  • integer literals without quotes.
  • boolean literals true and false without quotes.

For example, sourceProperties.size = 100 is a valid filter string.
groupBy

string

Required. Expression that defines what assets fields to use for grouping (including state). The string value should follow SQL syntax: comma separated list of fields. For example: "parent,resourceName".

The following fields are supported:

  • resourceName
  • category
  • state
  • parent
readTime

string (Timestamp format)

Time used as a reference point when filtering findings. The filter is limited to findings existing at the supplied time and their values are those at that specific time. Absence of this field will default to the API's version of NOW.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
pageToken

string

The value returned by the last GroupFindingsResponse; indicates that this is a continuation of a prior findings.group call, and that the system should return the next page of data.
pageSize

integer

The maximum number of results to return in a single response. Default is 10, minimum is 1, maximum is 1000.

Response body

Response message for group by findings.

If successful, the response body contains data with the following structure:

JSON representation 
{
  "groupByResults": [
    {
      object (GroupResult)
    }
  ],
  "readTime": string,
  "nextPageToken": string
}
Fields
groupByResults[]

object (GroupResult)

Group results. There exists an element for each existing unique combination of property/values. The element contains a count for the number of times those specific property/values appear.
readTime

string (Timestamp format)

Time used for executing the groupBy request.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
nextPageToken

string

Token to retrieve the next page of results, or empty if there are no more results.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.