This page explains how to work with Security Command Center findings in the Google Cloud console and the Security Operations console.
A finding is a record of a security issue that the Security Command Center services create when they detect a security issue. Findings are listed in the Findings page. You can click a finding to see its details and full JSON format.
Some of the actions that you can perform on the Findings page include the following:
- Query findings
- Inspect findings
- Mute findings
- Add security marks to findings
For information about working with findings programmatically, see Security Command Center client libraries.
Work with findings in the Security Command Center Enterprise consoles
If you are a Security Command Center Enterprise customer, you can work with findings in two consoles:
- Google Cloud console: available in all service tiers
- Security Operations console: available in the Enterprise tier only
For more information, see Security Command Center Enterprise consoles.
Obtain the required permissions
This section lists the IAM roles that you need to work with findings in the console.
Google Cloud console IAM roles
To work with findings in the Google Cloud console, you need the following IAM roles.
Make sure that you have the following role or roles on the organization:
- Security Center Findings Viewer (
roles/securitycenter.findingsViewer
) - Security Center Findings Editor (
roles/securitycenter.findingsEditor
)
Check for the roles
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the organization.
-
In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.
- For all rows that specify or include you, check the Role colunn to see whether the list of roles includes the required roles.
Grant the roles
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the organization.
- Click Grant access.
-
In the New principals field, enter your user identifier. This is typically the email address for a Google Account.
- In the Select a role list, select a role.
- To grant additional roles, click Add another role and add each additional role.
- Click Save.
For more information about Security Command Center roles and permissions, see IAM for organization-level activations.
Security Operations console IAM roles
If you are a Security Command Center Enterprise customer, you can work with findings in the Security Operations console. You need any of the following IAM roles:
- Chronicle SOAR Admin (
roles/chronicle.soarAdmin
) - Chronicle SOAR Threat Manager (
roles/chronicle.soarThreatManager
) - Chronicle SOAR Vulnerability Manager
(
roles/chronicle.soarVulnerabilityManager
)
For information about granting the role to a user, see Map and authorize users using IAM.
View findings
For information about locating the Findings page, click the tab for the console that you are using.
Google Cloud console
- In the Google Cloud console, go to the Findings page of Security Command Center.
- Select your Google Cloud project or organization.
Security Operations console
In the Security Operations console, go to the Findings page.
https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/posture/findings
Replace CUSTOMER_SUBDOMAIN
with your customer-specific identifier.
For more information about this console, see Security Operations console.
Adjust the time range to view more findings
You can adjust the time
range that is used for your queries. The default time range is Last 7 days
.
The time range is based on the value of the eventTime
attribute of the
findings, which reflects the time at which the finding record was last
updated.
For information about how to adjust the time range, click the tab for the console that you are using.
Google Cloud console
On the Findings page in the Google Cloud console, set the Time range field.
Security Operations console
At the top of the list of findings on the Findings page in the Security Operations console, set the Showing field.
Finding availability
A finding usually becomes available for you to query in Security Command Center less than a minute after the service that generates the finding stores it in the Security Command Center findings database. Premium and Enterprise tier findings remain available for querying for at least 13 months. Standard tier findings remain available for at least 35 days.
Security Command Center stores one or more snapshots of each finding. A
snapshot of a Premium or Enterprise tier finding is deleted 13 months
after the timestamp
in the eventTime
field. If all snapshots for a finding are deleted,
the finding can no longer be queried or recovered.
For more information about Security Command Center data retention, see Data retention.
Find and view specific findings
By default, the Findings page displays all active findings that are not muted and that are either new or updated over the last seven days.
To see specific findings, edit the findings query to specify the values or attributes that the findings you need to see must or must not contain.
The following example is the default findings query:
state="ACTIVE" AND NOT mute="MUTED"
You can see the current findings query in the Query editor panel. You can edit the query directly or select predefined filters to build the query. For more information, click the tab for the console that you are using.
Google Cloud console
On the Findings page in the Google Cloud console, you can do the following:
- In the Quick filters panel, select one or more predefined attribute filters to add them to a query. Use the Quick filters panel for commonly used, high-level filter options.
- In the Add filter menu of the Query editor panel, select one or more of the predefined attribute filters to add them to a query. Use the Add filter menu for more granular and advanced filters that are based on lower-level finding attributes. For more information, see Edit a findings query in the console.
- Edit the findings query directly in the Query editor panel.
- In the detail view of a finding, from the drop-down menu for a particular attribute, select a predefined filter for that attribute to add it to a query.
Security Operations console
On the Findings page in the Security Operations console, you can do the following:
- In the Aggregations panel, select one or more predefined attribute filters to add them to a query. Use the Aggregations panel for commonly used, high-level filter options.
- In the Edit a findings query in the console. Add filter menu of the Query editor panel, select one or more of the predefined attribute filters to add them to a query. Use the Add filter menu for more granular and advanced filters that are based on lower-level finding attributes. For more information, see
- Edit the findings query directly in the Query editor panel.
View the details of a finding
To learn more about a finding, open the detailed view of the finding by clicking the finding name in the Category column in the findings query results.
In the detail view, you can find information that is critical for understanding a finding, investigating a threat, or addressing a vulnerability.
The detail view for findings includes the following tabs that you can select to learn more about a finding and take action:
- The Summary tab, which is the default view, highlights key information and attributes about the finding.
- The Source properties tab, where you can see the attributes of
the
sourceProperties
object of the finding JSON. - The JSON tab, where you can see the full JSON format of the finding.
You can take certain actions on the finding in the detail view, as well as find links to additional information that is related to the finding.
Learn about the finding in the detail view
The detail view of a finding highlights important information about the finding that you can use to understand and address the underlying security issue.
Information on the Summary tab
The Summary tab provides information about the finding in the following sections:
- What was detected (or Overview)
Details about the finding that was detected, such as the following:
- The finding severity
- The finding state,
ACTIVE
orINACTIVE
- Any key fields that are related to the specific finding
- Vulnerability
Information from the CVE record that corresponds to the vulnerability, if any. The Vulnerability section includes information from the CVE record, such as:
- CVE ID
- CVE score
- Impact
- Exploitation activity
- Attack exposure
The attack exposure score and the time at which the score was last calculated. Clicking the score opens a visual depiction of the affected high-value resources and the associated attack path.
- Affected resource
Details about the resource that is associated with the finding, including the following information:
- The full name of the affected resource
- The cloud service provider of the resource
- The technical and security contacts
- Case information
Details about the case that is associated with the finding, including the following information.
- The full resource name of the external system that is associated with the finding
- The group assigned to the case
- The case ID, which links to the case in the Security Operations console
- The status of the case
- The update time in the external case management system
- The committed deadline for closing the case
- Security marks
The security marks that are associated with this finding, if any.
- Next steps
Guidance on what you can do to remediate the issue detected. Only certain services, such as Security Health Analytics, provide next steps.
- Related links
Links to key sources of security information outside of Security Command Center. Only certain services, such as Event Threat Detection, provide related links.
- Detection service
Details about the service, or source, that detected the finding.
Information on the Source properties tab
For some findings, the details panel includes a Source properties tab
that highlights certain properties from the sourceProperties
object of the
finding JSON.
Source properties differ for each finding and for each service that runs on Security Command Center. There's no assurance that source properties are standardized across all services. For this reason, we strongly discourage consuming source properties programmatically. If you want a source property to be standardized across all services, let us know by sending your feedback.
Information on the JSON tab
The JSON tab contains the complete JSON structure of the finding, which can be useful when you're investigating a finding or looking up attributes that you can use in your findings queries.
To copy the JSON object to your clipboard, click
Copy.The JSON structure of a finding contains the following objects:
findings
: The finding's attributes. These attributes are standardized across all built-in and integrated services (also known as security sources). For more information, seeFinding
.resource
: The attributes of the affected resource. For more information, seeResource
.sourceProperties
: The service-specific properties of the finding.
You can also use the
ListFindings
API to list
findings and get their JSON definitions.
Take action on a finding from the detail view
You can take a variety of actions on a finding from the finding's detail view, such as mute the finding. If you are viewing the finding's detail view in the Google Cloud console, you can also add attributes from the finding to the current findings query.
Mute a finding in the detail view
From the detail view of a finding, you can mute or unmute the finding. You can also create a rule that mutes all future findings like the current finding.
For complete instructions for muting a finding or creating a mute rule, see Mute findings in Security Command Center.
Add attribute filters to a query from the detail view
In the Google Cloud console, in the detail view of a finding, you can add filters for the displayed attributes to the current findings query.
For information about how to add attribute filters to a query from the detail view, click the tab for the console that you are using.
Google Cloud console
- On the Findings page, click the finding to view its details.
- In the detail view of the finding, find the attribute that you want to filter on.
- Next to the attribute, open the drop-down menu.
- Select a predefined filter for the attribute. The filter is added to the findings query on the Findings page.
Security Operations console
- On the Findings page, click the finding to view its details.
- In the detail view of the finding, find the attribute that you want to filter on.
- Next to the attribute, open the drop-down menu.
- Select a predefined filter for the attribute. The filter is added to the findings query on the Findings page.
View or copy attribute API names in the detail view of a finding
Most finding attributes that are displayed in the Google Cloud console have a corresponding name that is used in the Security Command Center API.
For information about how to view or copy attribute API names in the detail view of a finding, click the tab for the console that you are using.
Google Cloud console
- On the Findings page, click the finding to view its details.
-
In the detail view of the finding, you can find and copy the corresponding API name of each attribute that is displayed.
The equivalent API name for each attribute is listed in the same row as the attribute. All API names are in the last column. For example, for the State attribute, the equivalent API name is
state
.
Security Operations console
- On the Findings page, click the finding to view its details.
- In the detail view of the finding, find the attribute whose API equivalent you want to copy.
- Next to the attribute, open the drop-down menu.
- Click Copy API Equivalent.
Share the detail view of a finding
To share the detail view of a finding, you can copy the URL of the detail view page for sharing with others.
For information about how to copy the URL of the detail view of a finding, click the tab for the console that you are using.
Google Cloud console
- On the Findings page, click the finding to view its details.
- Click Take action > Copy link.
Security Operations console
- On the Findings page, click the finding to view its details.
- Click Copy link.
Send feedback about the finding to Google Cloud
For information about how to send feedback about a finding, click the tab for the console that you are using.
Google Cloud console
- On the Findings page, click the finding to view its details.
- Click Take action > Send feedback.
- Enter a description of your feedback.
- To include a screenshot, click Capture screenshot.
- Click Send.
Security Operations console
This feature is not available in the Security Operations console.
Display details of other findings in the findings query results
To see the details of the findings that precede or follow the finding that you are viewing, use the
next or previous button to go to the next or previous finding, without having to go back to the Findings page.Add security marks to findings
A security mark is a custom key-value label that you can use to annotate a finding, associate a finding with other findings that share the same security mark, and query findings.
For complete instructions for setting security marks on findings or assets, see Using security marks.
Mute findings in the console
You can mute and unmute findings from the following views:
- Findings query results on the Findings page
- Detail view of a finding
You can mute individual findings or create mute rules that mute current and future findings based on filters you define.
Muted findings are hidden and silenced, but you can still view them by adding
the mute="MUTED"
filter to your findings query. Muted findings continue
to be logged for audit and compliance purposes.
For detailed instructions on how to mute and unmute findings, see Mute findings in Security Command Center.
Change the state of a finding
A finding can have one of two states: Active
or Inactive
.
A state of Active
means that the security issue that is identified by
the finding persists in your environment as a potential threat or
vulnerability.
A state of Inactive
means that the security issue has been addressed.
You might want to change the state of a finding for a variety of reasons,
such as to change the state of a finding to Inactive
as soon as it is
addressed, so you don't have to wait for the next scan to change the state
for you.
For information about how to change the state of a finding, click the tab for the console that you are using.
Google Cloud console
- In the Google Cloud console, go to the Findings page of Security Command Center.
- Select your Google Cloud project or organization.
- In the Findings query results panel, select the finding
- In the action bar of the Findings query results panel, click Change active state. A popup menu appears.
- In the Change active state popup menu, select either Active or Inactive.
Security Operations console
This feature is not available in the Security Operations console.
Customize the Findings page
To control screen space, you can customize some of the elements that appear on the findings query results.
Hide or display columns in the findings query results
In the findings query results, you can hide any column except for Category.
The following are examples of columns that are available:
- Category: the name of the finding type.
- Severity: the severity of the finding. For more information about finding severity levels, see Severity classifications for findings.
- Toxic combination score: An
attack exposure score
on a
Toxic combination
class finding. - Attack exposure score: The attack exposure score of the finding.
- Event time: either when the finding was first detected or when it was last updated.
- Create time: when the finding was created in Security Command Center.
- Finding class: the class of the finding, such as
THREAT
,VULNERABILITY
, andMISCONFIGURATION
. - Resource display name: the display name of the resource in which the issue was detected.
- Resource full name: the full name of the resource in which the issue was detected.
- Resource cloud provider: The cloud service provider on which the resource is hosted.
- Resource path: the path to the resource in which the issue was detected.
- Resource type: the type of resource in which the issue was detected.
- Security marks: Any security marks that are added to the finding.
For information about how to hide or display the columns in the findings query results, click the tab for the console that you are using.
Google Cloud console
- On the right of the Findings query results action bar, click view_column Columns.
- Select the columns that you want to display.
- Clear the selections for columns that you want to hide.
- Click Apply to apply the changes to the Findings query results panel.
Column selections are preserved the next time you view the Findings page, even if you change projects or organizations. To clear all custom column selections, click Clear column selections.
Security Operations console
- In the Findings action bar, click view_column Manage columns. The Manage columns menu opens.
- Select the columns that you want to display.
- Clear the selections for columns that you want to hide.
- Close the menu.
Your column selections apply only to the current tab or window. Your column settings are reset the next time you sign in to the Security Operations console.
Hide or display Finding page panels
To increase your screen space for editing queries or viewing findings, you can hide or display panels. For more information, click the tab for the console that you are using.
Google Cloud console
You can hide or display the following panels:
- Quick filters panel
- Query editor panel
To hide a panel, click the Toggle panel icon, first_page or first_page.
To display the panel, click the icon again.
Security Operations console
- To hide the Aggregations side panel, click chevron_left Close sidebar.
- To display the Aggregations side panel, click chevron_right Open sidebar.
- To hide the Query editor panel, click keyboard_arrow_up Close query editor.
- To display the Query editor panel, click keyboard_arrow_down Open query editor.
What's next
- Learn about detection services.
- Learn how to use security marks.
- Learn how to configure Security Command Center services.
- Learn how to form a findings filter using the Security Command Center API.