REST Resource: organizations.sources.findings

string

The relative resource name of the SecurityMarks. See: https://cloud.google.com/apis/design/resource_names#relative_resource_name The following list shows some examples:

• organizations/{organization_id}/assets/{asset_id}/securityMarks + organizations/{organization_id}/sources/{source_id}/findings/{findingId}/securityMarks + organizations/{organization_id}/sources/{source_id}/locations/{location}/findings/{findingId}/securityMarks

map (key: string, value: string)

Mutable user specified security marks belonging to the parent resource. Constraints are as follows:

• Keys and values are treated as case insensitive
• Keys must be between 1 - 256 characters (inclusive)
• Keys must be letters, numbers, underscores, or dashes
• Values have leading and trailing whitespace trimmed, remaining characters must be between 1 - 4096 characters (inclusive)

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

string

The canonical name of the marks. The following list shows some examples:

• organizations/{organization_id}/assets/{asset_id}/securityMarks + organizations/{organization_id}/sources/{source_id}/findings/{findingId}/securityMarks + organizations/{organization_id}/sources/{source_id}/locations/{location}/findings/{findingId}/securityMarks
• folders/{folder_id}/assets/{asset_id}/securityMarks + folders/{folder_id}/sources/{source_id}/findings/{findingId}/securityMarks + folders/{folder_id}/sources/{source_id}/locations/{location}/findings/{findingId}/securityMarks
• projects/{project_number}/assets/{asset_id}/securityMarks + projects/{project_number}/sources/{source_id}/findings/{findingId}/securityMarks + projects/{project_number}/sources/{source_id}/locations/{location}/findings/{findingId}/securityMarks

object (StaticMute)

If set, the static mute applied to this finding. Static mutes override dynamic mutes. If unset, there is no static mute.

object (DynamicMuteRecord)

The list of dynamic mute rules that currently match the finding.

enum (Mute)

The static mute state. If the value is MUTED or UNMUTED, then the finding's overall mute state will have the same value.

string (Timestamp format)

When the static mute was applied.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

string

The relative resource name of the mute rule, represented by a mute config, that created this record, for example organizations/123/muteConfigs/mymuteconfig or organizations/123/locations/global/muteConfigs/mymuteconfig.

string (Timestamp format)

When the dynamic mute rule first matched the finding.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

string

The list of IP addresses that are associated with the finding.

string

List of domains associated to the Finding.

object (ProcessSignature)

The list of matched signatures indicating that the given process is present in the environment.

string

The list of URIs associated to the Findings.

enum (SignatureType)

Describes the type of resource associated with the signature.

object (MemoryHashSignature)

Signature indicating that a binary family was matched.

object (YaraRuleSignature)

Signature indicating that a YARA rule was matched.

string

The binary family.

object (Detection)

The list of memory hash detections contributing to the binary family match.

string

The name of the binary associated with the memory hash signature detection.

number

The percentage of memory page hashes in the signature that were matched.

string

The name of the YARA rule.

object (Cve)

CVE stands for Common Vulnerabilities and Exposures (https://cve.mitre.org/about/)

object (Package)

The offending package is relevant to the finding.

object (Package)

The fixed package is relevant to the finding.

object (SecurityBulletin)

The security bulletin is relevant to this finding.

string

The unique identifier for the vulnerability. e.g. CVE-2021-34527

object (Reference)

Additional information about the CVE. e.g. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527

object (Cvssv3)

Describe Common Vulnerability Scoring System specified at https://www.first.org/cvss/v3.1/specification-document

boolean

Whether upstream fix is available for the CVE.

enum (RiskRating)

The potential impact of the vulnerability if it was to be exploited.

enum (ExploitationActivity)

The exploitation activity of the vulnerability in the wild.

boolean

Whether or not the vulnerability has been observed in the wild.

boolean

Whether or not the vulnerability was zero day when the finding was published.

string (Timestamp format)

Date the first publicly available exploit or PoC was released.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

string (Timestamp format)

Date of the earliest known exploitation.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

string

Source of the reference e.g. NVD

string

Uri for the mentioned source e.g. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527.

number

The base score is a function of the base metric scores.

enum (AttackVector)

Base Metrics Represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments. This metric reflects the context by which vulnerability exploitation is possible.

enum (AttackComplexity)

This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.

enum (PrivilegesRequired)

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.

enum (UserInteraction)

This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component.

enum (Scope)

The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope.

enum (Impact)

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.

enum (Impact)

This metric measures the impact to integrity of a successfully exploited vulnerability.

enum (Impact)

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.

string

The name of the package where the vulnerability was detected.

string

The CPE URI where the vulnerability was detected.

string

Type of package, for example, os, maven, or go.

string

The version of the package.

string

ID of the bulletin corresponding to the vulnerability.

string (Timestamp format)

Submission time of this Security Bulletin.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

string

This represents a version that the cluster receiving this notification should be upgraded to, based on its current version. For example, 1.15.0

string

Full resource name of the external system. The following list shows some examples:

• organizations/1234/sources/5678/findings/123456/externalSystems/jira + organizations/1234/sources/5678/locations/us/findings/123456/externalSystems/jira
• folders/1234/sources/5678/findings/123456/externalSystems/jira + folders/1234/sources/5678/locations/us/findings/123456/externalSystems/jira
• projects/1234/sources/5678/findings/123456/externalSystems/jira + projects/1234/sources/5678/locations/us/findings/123456/externalSystems/jira

string

References primary/secondary etc assignees in the external system.

string

The identifier that's used to track the finding's corresponding case in the external system.

string

The most recent status of the finding's corresponding case, as reported by the external system.

string (Timestamp format)

The time when the case was last updated, as reported by the external system.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

string

The link to the finding's corresponding case in the external system.

string

The priority of the finding's corresponding case in the external system.

string (Timestamp format)

The SLA of the finding's corresponding case in the external system.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

string (Timestamp format)

The time when the case was created, as reported by the external system.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

string (Timestamp format)

The time when the case was closed, as reported by the external system.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

object (TicketInfo)

Information about the ticket, if any, that is being used to track the resolution of the issue that is identified by this finding.

string

The identifier of the ticket in the ticket system.

string

The assignee of the ticket in the ticket system.

string

The description of the ticket in the ticket system.

string

The link to the ticket in the ticket system.

string

The latest status of the ticket, as reported by the ticket system.

string (Timestamp format)

The time when the ticket was last updated, as reported by the ticket system.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

enum (Tactic)

The MITRE ATT&CK tactic most closely represented by this finding, if any.

enum (Technique)

The MITRE ATT&CK technique most closely represented by this finding, if any. primaryTechniques is a repeated field because there are multiple levels of MITRE ATT&CK techniques. If the technique most closely represented by this finding is a sub-technique (e.g. SCANNING_IP_BLOCKS), both the sub-technique and its parent technique(s) will be listed (e.g. SCANNING_IP_BLOCKS, ACTIVE_SCANNING).

enum (Tactic)

Additional MITRE ATT&CK tactics related to this finding, if any.

enum (Technique)

Additional MITRE ATT&CK techniques related to this finding, if any, along with any of their respective parent techniques.

string

The MITRE ATT&CK version referenced by the above fields. E.g. "8".

string

Associated email, such as "foo@google.com".

The email address of the authenticated user or a service account acting on behalf of a third party principal making the request. For third party identity callers, the principalSubject field is populated instead of this field. For privacy reasons, the principal email address is sometimes redacted. For more information, see Caller identities in audit logs.

string

Caller's IP address, such as "1.1.1.1".

object (Geolocation)

The caller IP's geolocation, which identifies where the call came from.

string

Type of user agent associated with the finding. For example, an operating system shell or an embedded or standalone application.

string

The caller's user agent string associated with the finding.

string

This is the API service that the service account made a call to, e.g. "iam.googleapis.com"

string

The method that the service account called, e.g. "SetIamPolicy".

string

A string that represents the principalSubject that is associated with the identity. Unlike principalEmail, principalSubject supports principals that aren't associated with email addresses, such as third party principals. For most identities, the format is principal://iam.googleapis.com/{identity pool name}/subject/{subject}. Some GKE identities, such as GKE_WORKLOAD, FREEFORM, and GKE_HUB_WORKLOAD, still use the legacy format serviceAccount:{identity pool name}[{subject}].

string

The name of the service account key that was used to create or exchange credentials when authenticating the service account that made the request. This is a scheme-less URI full resource name. For example:

"//iam.googleapis.com/projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}".

object (ServiceAccountDelegationInfo)

The identity delegation history of an authenticated service account that made the request. The serviceAccountDelegationInfo[] object contains information about the real authorities that try to access Google Cloud resources by delegating on a service account. When multiple authorities are present, they are guaranteed to be sorted based on the original ordering of the identity delegation events.

string

A string that represents a username. The username provided depends on the type of the finding and is likely not an IAM principal. For example, this can be a system username if the finding is related to a virtual machine, or it can be an application login username.

string

A CLDR.

string

The email address of a Google account.

string

A string representing the principalSubject associated with the identity. As compared to principalEmail, supports principals that aren't associated with email addresses, such as third party principals. For most identities, the format will be principal://iam.googleapis.com/{identity pool name}/subjects/{subject} except for some GKE identities (GKE_WORKLOAD, FREEFORM, GKE_HUB_WORKLOAD) that are still in the legacy format serviceAccount:{identity pool name}[{subject}]

string

Destination IP address. Not present for sockets that are listening and not connected.

integer

Destination port. Not present for sockets that are listening and not connected.

string

Source IP address.

integer

Source port.

enum (Protocol)

IANA Internet Protocol Number such as TCP(6) and UDP(17).

string

The process name, as displayed in utilities like top and ps. This name can be accessed through /proc/[pid]/comm and changed with prctl(PR_SET_NAME).

object (File)

File information for the process executable.

object (File)

File information for libraries loaded by the process.

object (File)

When the process represents the invocation of a script, binary provides information about the interpreter, while script provides information about the script file provided to the interpreter.

string

Process arguments as JSON encoded strings.

boolean

True if args is incomplete.

object (EnvironmentVariable)

Process environment variables.

boolean

True if envVariables is incomplete.

string (int64 format)

The process ID.

string (int64 format)

The parent process ID.

string

Absolute path of the file as a JSON encoded string.

string (int64 format)

Size of the file in bytes.

string

SHA256 hash of the first hashedSize bytes of the file encoded as a hex string. If hashedSize == size, sha256 represents the SHA256 hash of the entire file.

string (int64 format)

The length in bytes of the file prefix that was hashed. If hashedSize == size, any hashes reported represent the entire file.

boolean

True when the hash covers only a prefix of the file.

string

Prefix of the file contents as a JSON-encoded string.

object (DiskPath)

Path of the file in terms of underlying disk/partition identifiers.

string

UUID of the partition (format https://wiki.archlinux.org/title/persistent_block_device_naming#by-uuid)

string

Relative path of the file in the partition as a JSON encoded string. Example: /home/user1/executable_file.sh

string

Environment variable name as a JSON encoded string.

string

Environment variable value as a JSON encoded string.

object (Contact)

A list of contacts

string

An email address. For example, "person123@company.com".

string

Industry-wide compliance standards or benchmarks, such as CIS, PCI, and OWASP.

string

Version of the standard or benchmark, for example, 1.1

string

Policies within the standard or benchmark, for example, A.12.4.1

object (ExfilResource)

If there are multiple sources, then the data is considered "joined" between them. For instance, BigQuery can join multiple tables, and each table would be considered a source.

object (ExfilResource)

If there are multiple targets, each target would get a complete copy of the "joined" source data.

string (int64 format)

Total exfiltrated bytes processed for the entire job.

string

The resource's full resource name.

string

Subcomponents of the asset that was exfiltrated, like URIs used during exfiltration, table names, databases, and filenames. For example, multiple tables might have been exfiltrated from the same Cloud SQL instance, or multiple files might have been exfiltrated from the same Cloud Storage bucket.

enum (Action)

The action that was performed on a Binding.

string

Role that is assigned to "members". For example, "roles/viewer", "roles/editor", or "roles/owner".

string

A single identity requesting access for a Cloud Platform resource, for example, "foo@google.com".

string

Name of the container.

string

Container image URI provided when configuring a pod or container. This string can identify a container image version using mutable tags.

string

Optional container image ID, if provided by the container runtime. Uniquely identifies the container image launched using a container image digest.

object (Label)

Container labels, as provided by the container runtime.

string (Timestamp format)

The time that the container was created.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

string

Name of the label.

string

Value that corresponds to the label's name.

object (Pod)

Kubernetes Pods associated with the finding. This field contains Pod records for each container that is owned by a Pod.

object (Node)

Provides Kubernetes node information.

object (NodePool)

GKE node pools associated with the finding. This field contains node pool information for each node, when it is available.

object (Role)

Provides Kubernetes role information for findings that involve Roles or ClusterRoles.

object (Binding)

Provides Kubernetes role binding information for findings that involve RoleBindings or ClusterRoleBindings.

object (AccessReview)

Provides information on any Kubernetes access reviews (privilege checks) relevant to the finding.

object (Object)

Kubernetes objects related to the finding.

string

Kubernetes Pod namespace.

string

Kubernetes Pod name.

object (Label)

Pod labels. For Kubernetes containers, these are applied to the container.

object (Container)

Pod containers associated with this finding, if any.

string

Full resource name of the Compute Engine VM running the cluster node.

string

Kubernetes node pool name.

object (Node)

Nodes associated with the finding.

enum (Kind)

Role type.

string

Role namespace.

string

Role name.

string

Namespace for the binding.

string

Name for the binding.

object (Role)

The Role or ClusterRole referenced by the binding.

object (Subject)

Represents one or more subjects that are bound to the role. Not always available for PATCH requests.

enum (AuthType)

Authentication type for the subject.

string

Namespace for the subject.

string

Name for the subject.

string

The API group of the resource. "*" means all.

string

Namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces. Both are represented by "" (empty).

string

The name of the resource being requested. Empty means all.

string

The optional resource type requested. "*" means all.

string

The optional subresource type.

string

A Kubernetes resource API verb, like get, list, watch, create, update, delete, proxy. "*" means all.

string

The API version of the resource. "*" means all.

string

Kubernetes object group, such as "policy.k8s.io/v1".

string

Kubernetes object kind, such as "Namespace".

string

Kubernetes object namespace. Must be a valid DNS label. Named "ns" to avoid collision with C++ namespace keyword. For details see https://kubernetes.io/docs/tasks/administer-cluster/namespaces/.

string

Kubernetes object name. For details see https://kubernetes.io/docs/concepts/overview/working-with-objects/names/.

object (Container)

Pod containers associated with this finding, if any.

string

Some database resources may not have the full resource name populated because these resource types are not yet supported by Cloud Asset Inventory (e.g. Cloud SQL databases). In these cases only the display name will be provided. The full resource name of the database that the user connected to, if it is supported by Cloud Asset Inventory.

string

The human-readable name of the database that the user connected to.

string

The username used to connect to the database. The username might not be an IAM principal and does not have a set format.

string

The SQL statement that is associated with the database access.

string

The target usernames, roles, or groups of an SQL privilege grant, which is not an IAM policy change.

string

The version of the database, for example, POSTGRES_14. See the complete list.

number

A number between 0 (inclusive) and infinity that represents how important this finding is to remediate. The higher the score, the more important it is to remediate.

string (Timestamp format)

The most recent time the attack exposure was updated on this finding.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

string

The resource name of the attack path simulation result that contains the details regarding this attack exposure score. Example: organizations/123/simulations/456/attackExposureResults/789

enum (State)

Output only. What state this AttackExposure is in. This captures whether or not an attack exposure has been calculated or not.

integer

The number of high value resources that are exposed as a result of this finding.

integer

The number of medium value resources that are exposed as a result of this finding.

integer

The number of high value resources that are exposed as a result of this finding.

string

Name of the inspection job, for example, projects/123/locations/europe/dlpJobs/i-8383929.

string

The type of information (or infoType) found, for example, EMAIL_ADDRESS or STREET_ADDRESS.

string (int64 format)

The number of times Cloud DLP found this infoType within this job and resource.

boolean

Whether Cloud DLP scanned the complete resource or a sampled subset.

string

Name of the data profile, for example, projects/123/locations/europe/tableProfiles/8383929.

enum (ParentType)

The resource hierarchy level at which the data profile was generated.

string

Rootkit name, when available.

boolean

True if unexpected modifications of kernel code memory are present.

boolean

True if unexpected modifications of kernel read-only data memory are present.

boolean

True if ftrace points are present with callbacks pointing to regions that are not in the expected kernel or module code range.

boolean

True if kprobe points are present with callbacks pointing to regions that are not in the expected kernel or module code range.

boolean

True if kernel code pages that are not in the expected kernel or module code regions are present.

boolean

True if system call handlers that are are not in the expected kernel or module code regions are present.

boolean

True if interrupt handlers that are are not in the expected kernel or module code regions are present.

boolean

True if unexpected processes in the scheduler run queue are present. Such processes are in the run queue, but not in the process task list.

string

The resource name of the org policy. Example: "organizations/{organization_id}/policies/{constraint_name}"

string

The base URI that identifies the network location of the application in which the vulnerability was detected. For example, http://example.com.

string

The full URI with payload that could be used to reproduce the vulnerability. For example, http://example.com?p=aMmYgI6H.

string

The name of a Backup and DR template which comprises one or more backup policies. See the Backup and DR documentation for more information. For example, snap-ov.

string

The names of Backup and DR policies that are associated with a template and that define when to run a backup, how frequently to run a backup, and how long to retain the backup image. For example, onvaults.

string

The name of a Backup and DR host, which is managed by the backup and recovery appliance and known to the management console. The host can be of type Generic (for example, Compute Engine, SQL Server, Oracle DB, SMB file system, etc.), vCenter, or an ESX server. See the Backup and DR documentation on hosts for more information. For example, centos7-01.

string

The names of Backup and DR applications. An application is a VM, database, or file system on a managed host monitored by a backup and recovery appliance. For example, centos7-01-vol00, centos7-01-vol01, centos7-01-vol02.

string

The name of the Backup and DR storage pool that the backup and recovery appliance is storing data in. The storage pool could be of type Cloud, Primary, Snapshot, or OnVault. See the Backup and DR documentation on storage pools. For example, DiskPoolOne.

string

The names of Backup and DR advanced policy options of a policy applying to an application. See the Backup and DR documentation on policy options. For example, skipofflineappsincongrp, nounmap.

string

The name of the Backup and DR resource profile that specifies the storage media for backups of application and VM data. See the Backup and DR documentation on profiles. For example, GCP.

string

The name of the Backup and DR appliance that captures, moves, and manages the lifecycle of backup data. For example, backup-server-57137.

string

The backup type of the Backup and DR image. For example, Snapshot, Remote Snapshot, OnVault.

string (Timestamp format)

The timestamp at which the Backup and DR backup was created.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

string

Name of the posture, for example, CIS-Posture.

string

The version of the posture, for example, c7cfa2a8.

string

The project, folder, or organization on which the posture is deployed, for example, projects/{project_number}.

string

The name of the posture deployment, for example, organizations/{org_id}/posturedeployments/{posture_deployment_id}.

string

The name of the updated policy, for example, projects/{projectId}/policies/{constraint_name}.

string

The name of the updated policy set, for example, cis-policyset.

string

The ID of the updated policy, for example, compute-policy-1.

object (PolicyDriftDetails)

The details about a change in an updated policy that violates the deployed posture.

string

The name of the updated field, for example constraint.implementation.policy_rules[0].enforce

string

The value of this field that was configured in a posture, for example, true or allowed_values={"projects/29831892"}.

string

The detected value that violates the deployed posture, for example, false or allowed_values={"projects/22831892"}.

object (CloudLoggingEntry)

An individual entry in a log stored in Cloud Logging.

string

A unique identifier for the log entry.

string

The type of the log (part of logName. logName is the resource name of the log to which this log entry belongs). For example: cloudresourcemanager.googleapis.com/activity Note that this field is not URL-encoded, unlike in LogEntry.

string

The organization, folder, or project of the monitored resource that produced this log entry.

string (Timestamp format)

The time the event described by the log entry occurred.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

string

The name of the load balancer associated with the finding.

object (SecurityPolicy)

Information about the Google Cloud Armor security policy relevant to the finding.

object (Requests)

Information about incoming requests evaluated by Google Cloud Armor security policies.

object (AdaptiveProtection)

Information about potential Layer 7 DDoS attacks identified by Google Cloud Armor Adaptive Protection.

object (Attack)

Information about DDoS attack volume and classification.

string

Distinguish between volumetric & protocol DDoS attack and application layer attacks. For example, "L3_4" for Layer 3 and Layer 4 DDoS attacks, or "L_7" for Layer 7 DDoS attacks.

string (Duration format)

Duration of attack from the start until the current moment (updated every 5 minutes).

A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".

string

The name of the Google Cloud Armor security policy, for example, "my-security-policy".

string

The type of Google Cloud Armor security policy for example, 'backend security policy', 'edge security policy', 'network edge security policy', or 'always-on DDoS protection'.

boolean

Whether or not the associated rule or policy is in preview mode.

number

For 'Increasing deny ratio', the ratio is the denied traffic divided by the allowed traffic. For 'Allowed traffic spike', the ratio is the allowed traffic in the short term divided by allowed traffic in the long term.

integer

Allowed RPS (requests per second) in the short term.

integer

Allowed RPS (requests per second) over the long term.

integer

Denied RPS (requests per second) over the long term.

number

A score of 0 means that there is low confidence that the detected event is an actual attack. A score of 1 means that there is high confidence that the detected event is an attack. See the Adaptive Protection documentation for further explanation.

integer

Total PPS (packets per second) volume of attack.

integer

Total BPS (bytes per second) volume of attack.

string

Type of attack, for example, 'SYN-flood', 'NTP-udp', or 'CHARGEN-udp'.

string

The name of the notebook.

string

The source notebook service, for example, "Colab Enterprise".

string

The user ID of the latest author to modify the notebook.

string (Timestamp format)

The most recent time the notebook was updated.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

number

The Attack exposure score of this toxic combination. The score is a measure of how much this toxic combination exposes one or more high-value resources to potential attack.

string

List of resource names of findings associated with this toxic combination. For example, organizations/123/sources/456/findings/789.

enum (GroupType)

Type of group.

string

ID of the group.

string

Unique identifier for data access event.

string

The email address of the principal that accessed the data. The principal could be a user account, service account, Google group, or other.

enum (Operation)

The operation performed by the principal to access the data.

string (Timestamp format)

Timestamp of data access event.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

string

Unique identifier for data flow event.

string

The email address of the principal that initiated the data flow event. The principal could be a user account, service account, Google group, or other.

enum (Operation)

The operation performed by the principal for the data flow event.

string

Non-compliant location of the principal or the data destination.

string (Timestamp format)

Timestamp of data flow event.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".