Finding classes

This page explains the finding classes that the Security Command Center services use to report security issues in your environment.

In finding definitions, the finding class is stored in the findingClass field. For more information about the findingClass field, see FindingClass.

Some findings don't include a finding class definition. Security Command Center classifies these findings as Finding class unspecified.

The classes include the following:

• Chokepoint
• Misconfiguration
• Observation
• Posture violation
• SCC Error
• Threat
• Toxic combination
• Vulnerability
• Finding class unspecified

Chokepoint class

Findings in the Chokepoint class identify a resource or resource group where high-risk attack paths converge, based on attack path simulations.

Remediating a chokepoint finding might remediate multiple toxic combinations.

For more information about Chokepoint class findings, see Toxic combinations and chokepoints overview.

Misconfiguration class

Findings in the Misconfiguration class identify vulnerabilities caused by the incorrect or suboptimal configuration of programs, assets, or other resources. In most cases, you can fix the problem by updating the configuration that is indicated in the findings.

Misconfigurations are a type of vulnerability. Most Misconfiguration findings from the built-in Security Command Center services are documented in Vulnerability findings.

Observation class

Findings in the Observation class describe an event, configuration detail, or other issue in your environment that might not be a problem in itself, but could be if your environment were to be compromised.

Security Command Center services that commonly generate observations include the following:

• Sensitive Data Protection
• Sensitive Actions Service

Posture violation class

Findings in the Posture violation class describe resource configurations that don't align with your organization's security posture or a Compliance Manager cloud control.

SCC error class

Findings in the SCC error class identify a problem in the configuration of Security Command Center or one of its services that prevents Security Command Center from detecting security issues in your Google Cloud environment.

For more information about findings in the SCC error class, see Overview of Security Command Center errors.

Threat class

Findings in the Threat class identify a potential active attack or other unwanted or malicious activity.

Findings in the Threat class should be investigated immediately.

For more information about findings in the Threat class, see Remediating threats.

Toxic combination class

Findings in the Toxic combination class identify a group of security issues that, when they occur together, create a path to one or more of your high-value resources that a determined attacker could potentially use to reach and compromise those resources.

For more information about Toxic combination class findings, see Toxic combinations and chokepoints overview.

Vulnerability class

Findings in the Vulnerability class identify a flaw or weakness in software programs that an attacker could use to gain access to or otherwise compromise your Google Cloud environment.

For more information about findings in the Vulnerability class, see Vulnerability findings.

Finding class unspecified class

Findings in the Finding class unspecified class either don't have a value specified on the findingClass property or don't include the property at all.

To determine whether the finding identifies a threat, vulnerability, or other class of security issue, you need to review the finding and investigate the issue that it identifies.

Typically, the service that generates the finding determines the finding class and sets the findingClass property. We recommend that integrated and third-party service providers set the findingClass property, but doing so is not required.