This page describes how to use the Security Command Center API notifications feature, including the following examples:
- Create a
NotificationConfig
- Get a
NotificationConfig
- Update a
NotificationConfig
- Delete a
NotificationConfig
- List
NotificationConfig
- Receive Pub/Sub notifications
Alternatively, Security Command Center Premium customers can set up Continuous Exports for Pub/Sub in Security Command Center.
Before you begin
To use the examples on this page, you need to complete the guide to set up finding notifications.
To execute the following examples, you need an Identity and Access Management (IAM) role with appropriate permissions:
- Create
NotificationConfig
: Security Center Notification Configurations Editor (roles/securitycenter.notificationConfigEditor
) - Get and List
NotificationConfig
: Security Center Notification Configurations Viewer (roles/securitycenter.notificationConfigViewer
) or Security Center Notification Configurations Editor (roles/securitycenter.notificationConfigEditor
) - Update and Delete
NotificationConfig
: Security Center Notification Configurations Editor (roles/securitycenter.notificationConfigEditor
)
To grant appropriate roles to a principal that accesses a notificationConfig
,
you must have one of the following IAM roles:
- Organization Administrator (
roles/resourcemanager.organizationAdmin
) - Folder IAM Admin (
roles/resourcemanager.folderIamAdmin
) - Project IAM Admin (
roles/resourcemanager.projectIamAdmin
)
The IAM roles for Security Command Center can be granted at the organization, folder, or project level. Your ability to view, edit, create, or update findings, assets, and security sources depends on the level for which you are granted access. To learn more about Security Command Center roles, see Access control.
Data residency and notifications
If data residency
is enabled for Security Command Center, the configurations that define
continuous exports to
Pub/Sub—notificationConfig
resources—are subject
to data residency control and are stored in your
Security Command Center location.
To export findings in a Security Command Center location to Pub/Sub, you must configure the continuous export in the same Security Command Center location as the findings.
Because the filters that are used in continuous exports can contain data that is subject to residency controls, make sure you specify the correct location before you create them. Security Command Center does not restrict which location you create exports in.
Continuous exports are stored only in the location in which they are created and cannot be viewed or edited in other locations.
After you create a continuous export, you can't change its location. To change the location, you need to delete the continuous export and recreate it in the new location.
To retrieve a continuous export by using API calls,
you need to specify the location in the full resource name of the
notificationConfig
. For example:
GET https://securitycenter.googleapis.com/v2/{name=organizations/123/locations/eu/notificationConfigs/my-pubsub-export-01}
Similarly, to retrieve a continuous export by using
the gcloud CLI, you need to specify the location either
in the full resource name of the configuration or by using the --locations
flag. For example:
gcloud scc notifications describe myContinuousExport organizations/123 \ --location=locations/us
Creating a NotificationConfig
To create a NotificationConfig
, you must have:
- An existing Pub/Sub topic that you want to send notifications to.
- Required IAM roles for the principal that creates the
notificationConfig
.
For more information, see the step to set up a Pub/Sub topic in the guide to set up finding notifications.
Before you create a NotificationConfig
, note that each organization can have a
limited number of NotificationConfig
files. For more information, see
Quotas and limits.
The NotificationConfig
includes a filter
field that limits notifications to
useful events. This field accepts all of the filters that are available in the
Security Command Center API findings.list
method.
When you create a NotificationConfig
, you specify a parent for the
NotificationConfig
from the Google Cloud resource hierarchy, either an
organization, a folder, or a project. If you need to retrieve, update, or delete
the NotificationConfig
later, you need to include the numerical ID of the
parent organization, folder, or project when you reference it.
To create the NotificationConfig
using the language or platform of your
choice:
gcloud
gcloud scc notifications create NOTIFICATION_NAME \ --PARENT=PARENT_ID \ --location=LOCATION --description="NOTIFICATION_DESCRIPTION" \ --pubsub-topic=PUBSUB_TOPIC \ --filter="FILTER"
Replace the following:
NOTIFICATION_NAME
: the name of the notification. Must be between 1 and 128 characters and contain alphanumeric characters, underscores, or hyphens only.PARENT
: the scope in the resource hierarchy to which the notification applies,organization
,folder
, orproject
.PARENT_ID
: the ID of the parent organization, folder, or project, specified in the format oforganizations/123
,folders/456
, orprojects/789
.LOCATION
: If data residency is enabled, specify the Security Command Center location in which to create the notification. The resultingnotificationConfig
resource is stored only in this location. Only findings that are issued in this location are sent to Pub/Sub.
If data residency is not enabled, specifying the --location
flag creates
the notification by using Security Command Center API v2, and the only valid
value for the flag is global
.
* NOTIFICATION_DESCRIPTION
: a description of the
notification of no more than 1,024 characters.
* PUBSUB_TOPIC
: The Pub/Sub topic that will
receive notifications. Its format is
projects/PROJECT_ID/topics/TOPIC
.
* FILTER
: the expression you define to select which
findings get sent to Pub/Sub. For example,
state=\"ACTIVE\"
.
Python
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
Java
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
Go
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
Node.js
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
PHP
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
Ruby
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
C#
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
Notifications are now published to the Pub/Sub topic you specified.
To publish notifications, a service account is created for you in the form of
service-org-ORGANIZATION_ID@gcp-sa-scc-notification.iam.gserviceaccount.com
.
This service account is created when you create your first NotificationConfig
and is automatically granted the securitycenter.notificationServiceAgent
role
on the IAM policy for PUBSUB_TOPIC when creating the notification config. This
service account role is required for notifications to function.
Getting a NotificationConfig
To get a NotificationConfig
, you must have an IAM role
that includes the securitycenter.notification.get
permission.
gcloud
gcloud scc notifications describe PARENT_TYPE/PARENT_ID/locations/LOCATION/notificationConfigs/NOTIFICATION_NAME
Replace the following:
PARENT_TYPE
withorganizations
,folders
, orprojects
, depending on which level of the resource hierarchy was specified in the notification configuration.PARENT_ID
with the numeric ID of the parent resource.LOCATION
: required if either data residency is enabled or thenotificationConfig
resources were created by using the API v2.If data residency is enabled, specify the Security Command Center location in which the notifications are stored.
If data residency is not enabled, include
/locations/LOCATION
only if thenotificationConfig
resource was created by using the Security Command Center API v2, in which case, the only valid location isglobal
.NOTIFICATION_NAME
: the name of the notification.
Python
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
Java
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
Go
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
Node.js
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
PHP
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
Ruby
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
C#
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
Updating a NotificationConfig
To update a NotificationConfig
, you must have an IAM role
that includes the securitycenter.notification.update
permission.
When you update using a field mask, only the fields you specify are updated. If
you don't use a field mask, all mutable fields in the NotificationConfig
are
replaced by the new values. You can use a field mask to update the
Pub/Sub topic and description.
To complete this example, you must be subscribed to the new topic, and your
notifications service account must have the pubsub.topics.setIamPolicy
permission on the topic.
After you grant the necessary permissions, update the NotificationConfig
description, Pub/Sub topic and filter using the language of your
choice:
gcloud
gcloud scc notifications update PARENT_TYPE/PARENT_ID/locations/LOCATION/notificationConfigs/NOTIFICATION_NAME
--description="NOTIFICATION_DESCRIPTION" \
--pubsub-topic=PUBSUB_TOPIC \
--filter="FILTER"
Replace the following:
PARENT_TYPE
withorganizations
,folders
, orprojects
, depending on which level of the resource hierarchy was specified in the notification configuration.PARENT_ID
with the numeric ID of the parent resource.LOCATION
: required if either data residency is enabled or thenotificationConfig
was created by using the API v2.If data residency is enabled, specify the Security Command Center location in which the notification is stored.
If data residency is not enabled, include
/locations/LOCATION
in the full name or specify the--location
flag only if thenotificationConfig
resource was created by using the Security Command Center API v2, in which case, the only valid location isglobal
.NOTIFICATION_NAME
: the name of the notification.NOTIFICATION_DESCRIPTION
: a description of the notification of no more than 1,024 characters.PUBSUB_TOPIC
: the Pub/Sub topic which will receive notifications. Its format isprojects/PROJECT_ID/topics/TOPIC
.FILTER
: the expression you define to select which findings get sent to Pub/Sub. For example,state="ACTIVE"
.
Python
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
Java
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
Go
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
Node.js
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
PHP
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
Ruby
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
C#
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
Deleting a NotificationConfig
To delete a NotificationConfig
, you must have an IAM role
that includes the securitycenter.notification.delete
permission.
When you delete a NotificationConfig
, the
securitycenter.notificationServiceAgent
role stays on the
Pub/Sub topic. If you aren't using the Pub/Sub topic
in any other NotificationConfig
, remove the role from the topic. For more
information, see access control.
Delete a NotificationConfig
using the language of your choice:
gcloud
gcloud scc notifications delete PARENT_TYPE/PARENT_ID/locations/LOCATION/notificationConfigs/NOTIFICATION_NAME
Replace the following:
PARENT_TYPE
withorganizations
,folders
, orprojects
, depending on which level of the resource hierarchy was specified in the notification configuration.PARENT_ID
with the numeric ID of the parent resource.LOCATION
: required if either data residency is enabled or thenotificationConfig
was created by using the API v2.If data residency is enabled, specify the Security Command Center location in which the notification is stored.
If data residency is not enabled, include
/locations/LOCATION
in the full name or specify the--location
flag only if thenotificationConfig
was created by using the Security Command Center API v2, in which case, the only valid location isglobal
.NOTIFICATION_NAME
: the name of the notification.
Python
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
Java
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
Go
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
Node.js
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
PHP
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
Ruby
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
C#
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
Listing NotificationConfigs
To list NotificationConfigs
, you must have an IAM role
that includes the securitycenter.notification.list
permission.
All Security Command Center API lists are paginated. Each response returns a page of
results and a token to return the next page. The default pageSize
is 10. You
can configure page size to a minimum of 1, and a maximum of 1000.
List NotificationConfigs
using the language of your choice:
gcloud
gcloud scc notifications list PARENT_TYPE/PARENT_ID/locations/LOCATION
Replace the following:
PARENT_TYPE
withorganizations
,folders
, orprojects
, depending on the scope at which you need to list notifications.PARENT_ID
with the numeric ID of the parent resource.LOCATION
: required if either data residency is enabled or thenotificationConfig
resources were created by using the API v2.If data residency is enabled, specify the Security Command Center location in which the notifications are stored.
If data residency is not enabled, including
/locations/LOCATION
in the name or the--location
flag in the command lists only thenotificationConfig
resources that were created by using the Security Command Center API v2 and the only valid location isglobal
.
Python
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
Java
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
Go
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
Node.js
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
PHP
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
Ruby
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
C#
The following sample uses the v1 API. To modify
the sample for v2, replace v1
with v2
and add
/locations/LOCATION
to the resource name.
For most resources, add /locations/LOCATION
to the
resource name after /PARENT/PARENT_ID
, where
PARENT
is organizations
, folders
,
or projects
.
For findings, add /locations/LOCATION
to the resource
name after /sources/SOURCE_ID
, where SOURCE_ID
is the ID of the
Security Command Center service
that issued the finding.
Receiving Pub/Sub notifications
This section provides a sample notification message and examples that show how
to convert a Pub/Sub message into a NotificationMessage
that
contains a finding.
Notifications are published to Pub/Sub in the JSON
format.
Following is an example of a notification message:
{
"notificationConfigName": "organizations/ORGANIZATION_ID/notificationConfigs/CONFIG_ID",
"finding": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"state": "ACTIVE",
"category": "TEST-CATEGORY",
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"eventTime": "2019-07-26T07:32:37Z",
"createTime": "2019-07-29T18:45:27.243Z"
}
}
Convert a Pub/Sub message into a NotificationMessage
using
the language of your choice:
gcloud
The gcloud CLI doesn't support converting a Pub/Sub
message into a NotificationMessage
. You can use the gcloud CLI to
get a NotificationMessage
and print the JSON
directly in your terminal:
# The subscription used to receive published messages from a topic
PUBSUB_SUBSCRIPTION="projects/PROJECT_ID/subscriptions/SUBSCRIPTION_ID"
gcloud pubsub subscriptions pull $PUBSUB_SUBSCRIPTION
Replace the following:
- PROJECT_ID with your project ID.
- SUBSCRIPTION_ID with your subscription ID.
Python
Java
Go
Node.js
PHP
What's next
- Learn about filtering notifications.