Review and manage findings in the console

This page explains how to work with Security Command Center findings in the Google Cloud console and the Security Operations console.

A finding is a record of a security issue that the Security Command Center services create when they detect a security issue. Findings are listed in the Findings page. You can click a finding to see its details and full JSON format.

Some of the actions that you can perform on the Findings page include the following:

  • Query findings
  • Inspect findings
  • Mute findings
  • Add security marks to findings

For information about working with findings programmatically, see Security Command Center client libraries.

Work with findings in the Security Command Center Enterprise consoles

If you are a Security Command Center Enterprise customer, you can work with findings in two consoles:

  • Google Cloud console: available in all service tiers
  • Security Operations console: available in the Enterprise tier only

For more information, see Security Command Center Enterprise consoles.

Obtain the required permissions

This section lists the IAM roles that you need to work with findings in the console.

Google Cloud console IAM roles

To work with findings in the Google Cloud console, you need the following IAM roles.

Make sure that you have the following role or roles on the organization:

  • Security Center Findings Viewer (roles/securitycenter.findingsViewer)
  • Security Center Findings Editor (roles/securitycenter.findingsEditor)

Check for the roles

  1. In the Google Cloud console, go to the IAM page.

    Go to IAM
  2. Select the organization.

  3. In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

  4. For all rows that specify or include you, check the Role colunn to see whether the list of roles includes the required roles.

Grant the roles

  1. In the Google Cloud console, go to the IAM page.

    Go to IAM
  2. Select the organization.
  3. Click Grant access.

  4. In the New principals field, enter your user identifier. This is typically the email address for a Google Account.

  5. In the Select a role list, select a role.
  6. To grant additional roles, click Add another role and add each additional role.
  7. Click Save.

For more information about Security Command Center roles and permissions, see IAM for organization-level activations.

Security Operations console IAM roles

If you are a Security Command Center Enterprise customer, you can work with findings in the Security Operations console. You need any of the following IAM roles:

  • Chronicle SOAR Admin (roles/chronicle.soarAdmin)
  • Chronicle SOAR Threat Manager (roles/chronicle.soarThreatManager)
  • Chronicle SOAR Vulnerability Manager (roles/chronicle.soarVulnerabilityManager)

For information about granting the role to a user, see Map and authorize users using IAM.

View findings

For information about locating the Findings page, click the tab for the console that you are using.

Google Cloud console

  1. In the Google Cloud console, go to the Findings page of Security Command Center.

    Go to Findings

  2. Select your Google Cloud project or organization.

Security Operations console

In the Security Operations console, go to the Findings page. 

https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/posture/findings

Replace CUSTOMER_SUBDOMAIN with your customer-specific identifier.

For more information about this console, see Security Operations console.

Adjust the time range to view more findings

You can adjust the time range that is used for your queries. The default time range is Last 7 days.

The time range is based on the value of the eventTime attribute of the findings, which reflects the time at which the finding record was last updated.

For information about how to adjust the time range, click the tab for the console that you are using.

Google Cloud console

On the Findings page in the Google Cloud console, set the Time range field.

Security Operations console

At the top of the list of findings on the Findings page in the Security Operations console, set the Showing field.

Finding availability

A finding usually becomes available for you to query in Security Command Center less than a minute after the service that generates the finding stores it in the Security Command Center findings database. Premium and Enterprise tier findings remain available for querying for at least 13 months. Standard tier findings remain available for at least 35 days.

Security Command Center stores one or more snapshots of each finding. A snapshot of a Premium or Enterprise tier finding is deleted 13 months after the timestamp in the eventTime field. If all snapshots for a finding are deleted, the finding can no longer be queried or recovered.

For more information about Security Command Center data retention, see Data retention.

Find and view specific findings

By default, the Findings page displays all active findings that are not muted and that are either new or updated over the last seven days.

To see specific findings, edit the findings query to specify the values or attributes that the findings you need to see must or must not contain.

The following example is the default findings query:

state="ACTIVE"
AND NOT mute="MUTED"

You can see the current findings query in the Query editor panel. You can edit the query directly or select predefined filters to build the query. For more information, click the tab for the console that you are using.

Google Cloud console

On the Findings page in the Google Cloud console, you can do the following:

  • In the Quick filters panel, select one or more predefined attribute filters to add them to a query. Use the Quick filters panel for commonly used, high-level filter options.
  • In the Add filter menu of the Query editor panel, select one or more of the predefined attribute filters to add them to a query. Use the Add filter menu for more granular and advanced filters that are based on lower-level finding attributes. For more information, see Edit a findings query in the console.
  • Edit the findings query directly in the Query editor panel.
  • In the detail view of a finding, from the drop-down menu for a particular attribute, select a predefined filter for that attribute to add it to a query.

Security Operations console

On the Findings page in the Security Operations console, you can do the following:

  • In the Aggregations panel, select one or more predefined attribute filters to add them to a query. Use the Aggregations panel for commonly used, high-level filter options.
  • In the Add filter menu of the Query editor panel, select one or more of the predefined attribute filters to add them to a query. Use the Add filter menu for more granular and advanced filters that are based on lower-level finding attributes. For more information, see Edit a findings query in the console.
  • Edit the findings query directly in the Query editor panel.

View the details of a finding

To learn more about a finding, open the detailed view of the finding by clicking the finding name in the Category column in the findings query results.

In the detail view, you can find information that is critical for understanding a finding, investigating a threat, or addressing a vulnerability.

The detail view for findings includes the following tabs that you can select to learn more about a finding and take action:

  • The Summary tab, which is the default view, highlights key information and attributes about the finding.
  • The Source properties tab, where you can see the attributes of the sourceProperties object of the finding JSON.
  • The JSON tab, where you can see the full JSON format of the finding.

You can take certain actions on the finding in the detail view, as well as find links to additional information that is related to the finding.

Learn about the finding in the detail view

The detail view of a finding highlights important information about the finding that you can use to understand and address the underlying security issue.

Information on the Summary tab

The Summary tab provides information about the finding in the following sections:

What was detected (or Overview)

Details about the finding that was detected, such as the following:

  • The finding severity
  • The finding state, ACTIVE or INACTIVE
  • Any key fields that are related to the specific finding
Vulnerability

Information from the CVE record that corresponds to the vulnerability, if any. The Vulnerability section includes information from the CVE record, such as:

  • CVE ID
  • CVE score
  • Impact
  • Exploitation activity
Attack exposure

The attack exposure score and the time at which the score was last calculated. Clicking the score opens a visual depiction of the affected high-value resources and the associated attack path.

Affected resource

Details about the resource that is associated with the finding, including the following information:

  • The full name of the affected resource
  • The cloud service provider of the resource
  • The technical and security contacts
Case information

Details about the case that is associated with the finding, including the following information.

  • The full resource name of the external system that is associated with the finding
  • The group assigned to the case
  • The case ID, which links to the case in the Security Operations console
  • The status of the case
  • The update time in the external case management system
  • The committed deadline for closing the case
Security marks

The security marks that are associated with this finding, if any.

Next steps

Guidance on what you can do to remediate the issue detected. Only certain services, such as Security Health Analytics, provide next steps.

Related links

Links to key sources of security information outside of Security Command Center. Only certain services, such as Event Threat Detection, provide related links.

Detection service

Details about the service, or source, that detected the finding.

Information on the Source properties tab

For some findings, the details panel includes a Source properties tab that highlights certain properties from the sourceProperties object of the finding JSON.

Source properties differ for each finding and for each service that runs on Security Command Center. There's no assurance that source properties are standardized across all services. For this reason, we strongly discourage consuming source properties programmatically. If you want a source property to be standardized across all services, let us know by sending your feedback.

Information on the JSON tab

The JSON tab contains the complete JSON structure of the finding, which can be useful when you're investigating a finding or looking up attributes that you can use in your findings queries.

To copy the JSON object to your clipboard, click Copy.

The JSON structure of a finding contains the following objects:

  • findings: The finding's attributes. These attributes are standardized across all built-in and integrated services (also known as security sources). For more information, see Finding.
  • resource: The attributes of the affected resource. For more information, see Resource.
  • sourceProperties: The service-specific properties of the finding.

You can also use the ListFindings API to list findings and get their JSON definitions.

Take action on a finding from the detail view

You can take a variety of actions on a finding from the finding's detail view, such as mute the finding. If you are viewing the finding's detail view in the Google Cloud console, you can also add attributes from the finding to the current findings query.

Mute a finding in the detail view

From the detail view of a finding, you can mute or unmute the finding. You can also create a rule that mutes all future findings like the current finding.

For complete instructions for muting a finding or creating a mute rule, see Mute findings in Security Command Center.

Add attribute filters to a query from the detail view

In the Google Cloud console, in the detail view of a finding, you can add filters for the displayed attributes to the current findings query.

For information about how to add attribute filters to a query from the detail view, click the tab for the console that you are using.

Google Cloud console

  1. On the Findings page, click the finding to view its details.
  2. In the detail view of the finding, find the attribute that you want to filter on.
  3. Next to the attribute, open the drop-down menu.
  4. Select a predefined filter for the attribute. The filter is added to the findings query on the Findings page.

Security Operations console

  1. On the Findings page, click the finding to view its details.
  2. In the detail view of the finding, find the attribute that you want to filter on.
  3. Next to the attribute, open the drop-down menu.
  4. Select a predefined filter for the attribute. The filter is added to the findings query on the Findings page.

View or copy attribute API names in the detail view of a finding

Most finding attributes that are displayed in the Google Cloud console have a corresponding name that is used in the Security Command Center API.

For information about how to view or copy attribute API names in the detail view of a finding, click the tab for the console that you are using.

Google Cloud console

  1. On the Findings page, click the finding to view its details.

  2. In the detail view of the finding, you can find and copy the corresponding API name of each attribute that is displayed.

    The equivalent API name for each attribute is listed in the same row as the attribute. All API names are in the last column. For example, for the State attribute, the equivalent API name is state.

Security Operations console

  1. On the Findings page, click the finding to view its details.
  2. In the detail view of the finding, find the attribute whose API equivalent you want to copy.
  3. Next to the attribute, open the drop-down menu.
  4. Click Copy API Equivalent.

Share the detail view of a finding

To share the detail view of a finding, you can copy the URL of the detail view page for sharing with others.

For information about how to copy the URL of the detail view of a finding, click the tab for the console that you are using.

Google Cloud console

  1. On the Findings page, click the finding to view its details.
  2. Click Take action > Copy link.

Security Operations console

  1. On the Findings page, click the finding to view its details.
  2. Click Copy link.

Send feedback about the finding to Google Cloud

For information about how to send feedback about a finding, click the tab for the console that you are using.

Google Cloud console

  1. On the Findings page, click the finding to view its details.
  2. Click Take action > Send feedback.
  3. Enter a description of your feedback.
  4. To include a screenshot, click Capture screenshot.
  5. Click Send.

Security Operations console

This feature is not available in the Security Operations console.

Display details of other findings in the findings query results

To see the details of the findings that precede or follow the finding that you are viewing, use the next or previous button to go to the next or previous finding, without having to go back to the Findings page.

Add security marks to findings

A security mark is a custom key-value label that you can use to annotate a finding, associate a finding with other findings that share the same security mark, and query findings.

For complete instructions for setting security marks on findings or assets, see Using security marks.

Mute findings in the console

You can mute and unmute findings from the following views:

  • Findings query results on the Findings page
  • Detail view of a finding

You can mute individual findings or create mute rules that mute current and future findings based on filters you define.

Muted findings are hidden and silenced, but you can still view them by adding the mute="MUTED" filter to your findings query. Muted findings continue to be logged for audit and compliance purposes.

For detailed instructions on how to mute and unmute findings, see Mute findings in Security Command Center.

Change the state of a finding

A finding can have one of two states: Active or Inactive.

A state of Active means that the security issue that is identified by the finding persists in your environment as a potential threat or vulnerability.

A state of Inactive means that the security issue has been addressed.

You might want to change the state of a finding for a variety of reasons, such as to change the state of a finding to Inactive as soon as it is addressed, so you don't have to wait for the next scan to change the state for you.

For information about how to change the state of a finding, click the tab for the console that you are using.

Google Cloud console

  1. In the Google Cloud console, go to the Findings page of Security Command Center.

    Go to Findings

  2. Select your Google Cloud project or organization.
  3. In the Findings query results panel, select the finding
  4. In the action bar of the Findings query results panel, click Change active state. A popup menu appears.
  5. In the Change active state popup menu, select either Active or Inactive.

Security Operations console

This feature is not available in the Security Operations console.

Customize the Findings page

To control screen space, you can customize some of the elements that appear on the findings query results.

Hide or display columns in the findings query results

In the findings query results, you can hide any column except for Category.

The following are examples of columns that are available:

  • Category: the name of the finding type.
  • Severity: the severity of the finding. For more information about finding severity levels, see Severity classifications for findings.
  • Toxic combination score: An attack exposure score on a Toxic combination class finding.
  • Attack exposure score: The attack exposure score of the finding.
  • Event time: either when the finding was first detected or when it was last updated.
  • Create time: when the finding was created in Security Command Center.
  • Finding class: the class of the finding, such as THREAT, VULNERABILITY, and MISCONFIGURATION.
  • Resource display name: the display name of the resource in which the issue was detected.
  • Resource full name: the full name of the resource in which the issue was detected.
  • Resource cloud provider: The cloud service provider on which the resource is hosted.
  • Resource path: the path to the resource in which the issue was detected.
  • Resource type: the type of resource in which the issue was detected.
  • Security marks: Any security marks that are added to the finding.

For information about how to hide or display the columns in the findings query results, click the tab for the console that you are using.

Google Cloud console

  1. On the right of the Findings query results action bar, click Columns.
  2. Select the columns that you want to display.
  3. Clear the selections for columns that you want to hide.
  4. Click Apply to apply the changes to the Findings query results panel.

Column selections are preserved the next time you view the Findings page, even if you change projects or organizations. To clear all custom column selections, click Clear column selections.

Security Operations console

  1. In the Findings action bar, click Manage columns. The Manage columns menu opens.
  2. Select the columns that you want to display.
  3. Clear the selections for columns that you want to hide.
  4. Close the menu.

Your column selections apply only to the current tab or window. Your column settings are reset the next time you sign in to the Security Operations console.

Hide or display Finding page panels

To increase your screen space for editing queries or viewing findings, you can hide or display panels. For more information, click the tab for the console that you are using.

Google Cloud console

You can hide or display the following panels:

  • Quick filters panel
  • Query editor panel

To hide a panel, click the Toggle panel icon, or .

To display the panel, click the icon again.

Security Operations console

  • To hide the Aggregations side panel, click chevron_left Close sidebar.
  • To display the Aggregations side panel, click chevron_right Open sidebar.
  • To hide the Query editor panel, click keyboard_arrow_up Close query editor.
  • To display the Query editor panel, click keyboard_arrow_down Open query editor.

What's next