This page explains the finding classes that the Security Command Center services use to report security issues in your environment.
In finding definitions, the finding class is stored in the findingClass
field. For more information about the findingClass
field, see FindingClass
.
Some findings don't include a finding class definition. Security Command Center
classifies these findings as Finding class unspecified
.
The classes include the following:
-
Chokepoint -
Misconfiguration -
Observation -
Posture violation -
SCC Error -
Threat -
Toxic combination -
Vulnerability -
Finding class unspecified
Chokepoint
class
Findings in the Chokepoint
class identify a resource or resource group where high-risk attack paths converge, based on attack path simulations.
Remediating a chokepoint finding might remediate multiple toxic combinations.
For more information about Chokepoint
class findings, see Toxic combinations and chokepoints overview
.
Misconfiguration
class
Findings in the Misconfiguration
class identify vulnerabilities caused by
the incorrect or suboptimal configuration of programs, assets, or other
resources. In most cases, you can fix
the problem by updating the configuration that is indicated in the findings.
Misconfigurations are a type of vulnerability. Most Misconfiguration
findings
from the built-in Security Command Center services are documented in Vulnerability findings
.
Observation
class
Findings in the Observation
class describe an event, configuration
detail, or other issue in your environment that might not be a problem
in itself, but could be if your environment were to be compromised.
Security Command Center services that commonly generate observations include the following:
Posture violation
class
Findings in the Posture violation
class describe resource configurations that
don't align with your organization's security
posture
or a Compliance Manager cloud
control
.
SCC error
class
Findings in the SCC error
class identify a problem in the configuration
of Security Command Center or one of its services that prevents
Security Command Center from detecting security issues in your
Google Cloud environment.
For more information about findings in the SCC error
class, see Overview of Security Command Center errors
.
Threat
class
Findings in the Threat
class identify a potential active attack
or other unwanted or malicious activity.
Findings in the Threat
class should be investigated immediately.
For more information about findings in the Threat
class, see Remediating threats
.
Toxic combination
class
Findings in the Toxic combination
class identify a group of security
issues that, when they occur together, create a path to one or more of
your high-value resources that a determined attacker could potentially
use to reach and compromise those resources.
For more information about Toxic combination
class findings, see Toxic combinations and chokepoints overview
.
Vulnerability
class
Findings in the Vulnerability
class identify a flaw or weakness in software
programs that an attacker could use to gain access to or
otherwise compromise your Google Cloud environment.
For more information about findings in the Vulnerability
class, see Vulnerability findings
.
Finding class unspecified
class
Findings in the Finding class unspecified
class either don't have
a value specified on the findingClass
property or don't include the
property at all.
To determine whether the finding identifies a threat, vulnerability, or other class of security issue, you need to review the finding and investigate the issue that it identifies.
Typically, the service that generates the finding determines the finding
class and sets the findingClass
property. We recommend that integrated
and third-party service providers set the findingClass
property, but
doing so is not required.
