Close httplib2 connections.
Get a finding by name.
list(parent, filter=None, orderBy=None, pageSize=None, pageToken=None, x__xgafv=None)
Get a list of findings that meet the filter criteria.
Retrieves the next page of results.
search(parent, orderBy=None, pageSize=None, pageToken=None, query=None, x__xgafv=None)
SearchFindings is a more powerful version of ListFindings that supports complex queries like "findings for issues" using functions such as `has_issue` and `has_asset` in the query string. Example to search for findings for a specific issue: `has_issue("name=\"vaults/vault-12345/issues/issue-12345\"")`)
Retrieves the next page of results.
close()
Close httplib2 connections.
get(name, x__xgafv=None)
Get a finding by name.
Args:
name: string, Required. Name of the finding to get. (required)
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # A ‘stateless’ and a point in time event that a check produced a result of interest.
"aiSummary": "A String", # Optional. AI summary of the finding.
"alert": "A String", # Optional. Name of the alert that this finding is bound to.
"asset": "A String", # Optional. Optional - asset name if known. Format: vaults/{vault}/assets/{asset}
"audit": { # Tracks basic CRUD facts. # Output only. Audit data about the finding.
"createTime": "A String", # Output only. Time of creation.
"creator": "A String", # Output only. Agent that created or updated the record, could be a UserId or a JobId.
"updateTime": "A String", # Output only. Time of creation or last update.
"updater": "A String", # Output only. Agent that last updated the record, could be a UserId or a JobId.
},
"configurations": [ # Optional. Configuration names that are bound to this finding.
"A String",
],
"detail": { # Wrapper class that contains the union struct for all the various findings detail specific classes. # Required. Holder of the domain specific details of the finding.
"compromisedCredentials": { # Sample compromised credential detail. # Compromised Credentials detail type.
"author": "A String", # Optional. Reference to the author this detail was extracted from. This is deprecated and will be removed.
"credentialService": "A String", # Optional. Claimed site the credential is intended for.
"darkWebDoc": "A String", # Optional. Reference to the dark web document. This is deprecated and will be removed.
"externalReferenceUri": "A String", # Optional. This will contain a link to the external reference for this credential. If set, this is a link back to the DTM product to allow customers to get additional context about this finding.
"fileDump": "A String", # Optional. If the source of the credential was from a file dump this will contain the name of the file the credential was found in. This can be used by customers for context on where the credential was found and to try to find other references to the file in the wild.
"fileDumpHashes": [ # Optional. A list of hashes of the file dump. These will be prefixed with the algorithm. Example: "sha256:"
"A String",
],
"fileDumpSizeBytes": "A String", # Optional. If file_dump is set this will contain the size of the dump file in bytes. File dumps can be very large.
"forum": "A String", # Optional. Reference to the forum this detail was extracted from. This is deprecated and will be removed.
"malwareFamily": "A String", # Optional. This will indicate the malware family that leaked this credential, if known.
"postedTime": "A String", # Optional. This indicates our best guess as to when the credential was leaked to the particular venue that triggered this finding. This is not necessarily the time the credential was actually leaked and it may not always be be accurate.
"sourceUri": "A String", # Optional. If the source of a credential is publicly addressable this will contain a uri to the where the credential was found.
"userKey": "A String", # Required. This field will always be set and will be used to identify the user named in the credential leak. In cases where customers are authorized to see the actual user key this will be set to the actual user key. In cases where the customer is not authorized to see the actual user key this will be set to a hash of the user key. The hashed value is an intentionally opaque value that is not intended to be used for any other purpose than to uniquely identify the user in the context of this specific customer, service domain, and user name. Example: "user@example.com" or "redacted:".
"userSecretEvidence": "A String", # Optional. Claimed evidence of the password/secret. This will always be hashed. In the event where the plaintext password is known it will be set to "redacted:" where the same hash will be presented when the same password is found for the same organization for the same service. Redaction is done by hashing the password with a salt that is unique to the customer organization and service. In the event where the plaintext password is not known it will be set to ":" where the algorithm is the hash algorithm used and the hash is the hash of the password using that algorithm. In the event we don't know the exact algorithm used we will set it to "hashed:".
},
"dataLeak": { # A detail object for a Data Leak finding. # Data Leak finding detail type.
"documentId": "A String", # Required. The unique identifier of the document that triggered the Data Leak finding. This ID can be used to retrieve the content of the document for further analysis.
"matchScore": 3.14, # Required. Reference to the match score of the Data Leak finding. This is a float value greater than 0 and less than or equal to 1 calculated by the matching engine based on the similarity of the document and the user provided configurations.
"severity": "A String", # Required. The severity of the Data Leak finding. This indicates the potential impact of the threat.
},
"detailType": "A String", # Output only. Name of the detail type. Will be set by the server during creation to the name of the field that is set in the detail union.
"inbandVulnerability": { # This is a temporary detail type that will be used to support vulnerabilities until the engines start using the full vulnerability objects. The "Inband" refers to the fact that all vulnerability details are included with every finding. # Inband vulnerability detail type.
"formattedProofDetails": "A String", # Optional. A short description of the proof of the vulnerability.
"requestUri": "A String", # Optional. The URI that lead to this detection, if appropriate.
"vulnerability": { # Fleshed out vulnerability object that includes enough details to fill out a vulnerability specific view for an issue. # Required. Vulnerability metadata.
"affectedSoftware": [ # Optional. The software that is affected by the vulnerability.
{ # The software that is affected by the vulnerability.
"product": "A String", # Optional. The product of the software.
"vendor": "A String", # Optional. The vendor of the software.
},
],
"authors": [ # Optional. The authors of the vulnerability detection.
"A String",
],
"cveId": "A String", # Required. The CVE ID of the vulnerability.
"cvssV31Score": 3.14, # Required. The CVSS V3.1 score (Base score)for the vulnerability. ( )
"cvssV31ScoreTemporal": 3.14, # Optional. Temporal CVSS V3.1 score for the vulnerability.
"description": "A String", # Optional. The human readable description. This can be basic HTML formatted text.
"disclosureTime": "A String", # Optional. The date the vulnerability was first disclosed.
"exploitationState": "A String", # Optional. Exploitation state of the vulnerability, for example "Available".
"externalVulnerabilityId": "A String", # Required. The external ID of the vulnerability.
"isExploitedWild": True or False, # Optional. Whether this is exploited in the wild.
"referenceUrls": [ # Optional. Reference URLs to the vulnerability.
"A String",
],
"remediation": "A String", # Optional. The human readable remediation recommendation. This can be basic HTML formatted text.
"riskRating": "A String", # Optional. Risk rating for the vulnerability, for example "High".
"title": "A String", # Optional. Human readable name for the vulnerability.
},
},
"initialAccessBroker": { # A detail object for an Initial Access Broker (IAB) finding. # Initial Access Broker finding detail type.
"documentId": "A String", # Required. The unique identifier of the document that triggered the IAB finding. This ID can be used to retrieve the content of the document for further analysis.
"matchScore": 3.14, # Required. Reference to the match score of the IAB finding. This is a float value between 0 and 1 calculated by the matching engine based on the similarity of the document and the user provided configurations.
"severity": "A String", # Required. The severity of the IAB finding. This indicates the potential impact of the threat.
},
"insiderThreat": { # A detail object for a InsiderThreat finding. # Insider Threat finding detail type.
"documentId": "A String", # Required. The unique identifier of the document that triggered the InsiderThreat finding. This ID can be used to retrieve the content of the document for further analysis.
"matchScore": 3.14, # Required. Reference to the match score of the InsiderThreat finding. This is a float value greater than 0 and less than or equal to 1 calculated by the matching engine based on the similarity of the document and the user provided configurations.
"severity": "A String", # Required. The severity of the InsiderThreat finding. This indicates the potential impact of the threat.
},
"misconfiguration": { # Misconfiguration finding detail. # Misconfiguration finding detail type.
"misconfigurationMetadata": { # Misconfiguration metadata. # Required. The misconfiguration metadata.
"description": "A String", # Optional. Description of the misconfiguration.
"displayName": "A String", # Optional. A user-friendly name for the misconfiguration.
"misconfigurationId": "A String", # Required. The identifier for the misconfiguration. This is an internal name generated by the finding provider.
"references": [ # Optional. References to external resources that provide more information about the misconfiguration.
{ # A reference to an external resource that provides more information about a misconfiguration.
"type": "A String", # Required. The type of the reference (e.g., "description", "remediation").
"uri": "A String", # Required. The URI of the reference.
},
],
"remediation": "A String", # Optional. Recommended remediation steps for the misconfiguration.
"vulnerableUri": "A String", # Optional. The endpoint which was found to have the vulnerability.
},
},
"suspiciousDomain": { # A detailed object for a suspicious Domain finding. # Domain Monitoring finding detail type.
"dns": { # The DNS details of the suspicious domain. # The DNS details of the suspicious domain.
"dnsRecords": [ # The DNS records of the suspicious domain.
{ # The DNS record of the suspicious domain.
"record": "A String", # The name of the DNS record.
"ttl": 42, # The TTL of the DNS record.
"type": "A String", # The type of the DNS record.
"value": "A String", # The value of the DNS record.
},
],
"retrievalTime": "A String", # The time the DNS details were retrieved.
},
"domain": "A String", # Required. The suspicious domain name.
"gtiDetails": { # The GTI details of the suspicious domain. # The GTI details of the suspicious domain.
"threatScore": 42, # The threat score of the suspicious domain. The threat score is a number between 0 and 100.
"verdict": "A String", # Output only. The verdict of the suspicious domain.
"virustotalUri": "A String", # VirusTotal link for the domain
},
"matchScore": 3.14, # Required. Reference to the match score of the finding. This is a float value between 0 and 1 calculated by the matching engine.
"severity": "A String", # Required. The severity of the finding. This indicates the potential impact of the threat.
"whois": { # The whois details of the suspicious domain. # The whois details of the suspicious domain.
"retrievalTime": "A String", # The time the whois details were retrieved.
"whois": "A String", # The whois details of the suspicious domain.
},
},
"targetTechnology": { # Contains details for a technology watchlist finding. # Technology Watchlist finding detail type.
"vulnerabilityMatch": { # Contains details about a vulnerability match. # Output only. The vulnerability match details.
"associations": [ # Optional. Associated threat actors, malware, etc. This is embedded as a snapshot because the details of the association at the time of the vulnerability match are important for context and reporting.
{ # Represents an association with a vulnerability.
"id": "A String", # Required. The ID of the association.
"type": "A String", # Required. The type of the association.
},
],
"collectionId": "A String", # Output only. The collection ID of the vulnerability. Ex: "vulnerability--cve-2025-9876".
"cveId": "A String", # Output only. The CVE ID of the vulnerability. Ex: "CVE-2025-9876". See https://www.cve.org/ for more information.
"cvss3Score": 3.14, # Output only. The CVSS v3 score of the vulnerability. Example: 6.4.
"description": "A String", # Output only. A description of the vulnerability.
"exploitationState": "A String", # Output only. The exploitation state of the vulnerability.
"riskRating": "A String", # Output only. The risk rating of the vulnerability.
"technologies": [ # Output only. The affected technologies. Ex: "Apache Struts".
"A String",
],
},
},
},
"displayName": "A String", # Required. A short descriptive title for the finding <= 250 chars. EX: "Actor 'baddy' offering $1000 for credentials of 'goodguy'".
"issue": "A String", # Optional. Optional - name of the issue that this finding is bound to. Format: vaults/{vault}/issues/{issue}
"name": "A String", # Identifier. Server generated name for the finding (leave clear during creation). Format: vaults/{vault}/findings/{finding}
"provider": "A String", # Required. Logical source of this finding (name of the sub-engine).
"relevanceAnalysis": { # Structured relevance analysis for a threat. # Output only. High-Precision Relevance Analysis verdict for the finding.
"confidence": "A String", # The level of confidence in the given verdict.
"evidence": { # Details the evidence used to determine the relevance verdict. # Evidence supporting the verdict, including matched and unmatched items.
"commonThemes": [ # A list of semantic themes or concepts found to be common, related, or aligned between the sources, supporting the verdict.
"A String",
],
"distinctThemes": [ # A list of semantic themes or descriptions unique to one source or semantically distant.
"A String",
],
},
"reasoning": "A String", # Human-readable explanation from the matcher, detailing why a particular result is considered relevant or not relevant.
"relevanceLevel": "A String", # The level of relevance.
"relevant": True or False, # Indicates whether the threat is considered relevant.
},
"reoccurrenceTimes": [ # Output only. When identical finding (same labels and same details) has re-occurred.
"A String",
],
"severity": 3.14, # Optional. Deprecated: Use the `severity_analysis` field instead. Base severity score from the finding source.
"severityAnalysis": { # Structured severity analysis for a threat. # Output only. High-Precision Severity Analysis verdict for the finding.
"confidence": "A String", # The level of confidence in the given verdict.
"reasoning": "A String", # Human-readable explanation from the model, detailing why a particular result is considered to have a certain severity.
"severityLevel": "A String", # The level of severity.
},
}
list(parent, filter=None, orderBy=None, pageSize=None, pageToken=None, x__xgafv=None)
Get a list of findings that meet the filter criteria.
Args:
parent: string, Required. Parent of the findings. (required)
filter: string, Optional. Filter criteria.
orderBy: string, Optional. Order by criteria in the csv format: "field1,field2 desc" or "field1,field2" or "field1 asc, field2".
pageSize: integer, Optional. Page size.
pageToken: string, Optional. Page token.
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for ListFindings.
"findings": [ # List of findings.
{ # A ‘stateless’ and a point in time event that a check produced a result of interest.
"aiSummary": "A String", # Optional. AI summary of the finding.
"alert": "A String", # Optional. Name of the alert that this finding is bound to.
"asset": "A String", # Optional. Optional - asset name if known. Format: vaults/{vault}/assets/{asset}
"audit": { # Tracks basic CRUD facts. # Output only. Audit data about the finding.
"createTime": "A String", # Output only. Time of creation.
"creator": "A String", # Output only. Agent that created or updated the record, could be a UserId or a JobId.
"updateTime": "A String", # Output only. Time of creation or last update.
"updater": "A String", # Output only. Agent that last updated the record, could be a UserId or a JobId.
},
"configurations": [ # Optional. Configuration names that are bound to this finding.
"A String",
],
"detail": { # Wrapper class that contains the union struct for all the various findings detail specific classes. # Required. Holder of the domain specific details of the finding.
"compromisedCredentials": { # Sample compromised credential detail. # Compromised Credentials detail type.
"author": "A String", # Optional. Reference to the author this detail was extracted from. This is deprecated and will be removed.
"credentialService": "A String", # Optional. Claimed site the credential is intended for.
"darkWebDoc": "A String", # Optional. Reference to the dark web document. This is deprecated and will be removed.
"externalReferenceUri": "A String", # Optional. This will contain a link to the external reference for this credential. If set, this is a link back to the DTM product to allow customers to get additional context about this finding.
"fileDump": "A String", # Optional. If the source of the credential was from a file dump this will contain the name of the file the credential was found in. This can be used by customers for context on where the credential was found and to try to find other references to the file in the wild.
"fileDumpHashes": [ # Optional. A list of hashes of the file dump. These will be prefixed with the algorithm. Example: "sha256:"
"A String",
],
"fileDumpSizeBytes": "A String", # Optional. If file_dump is set this will contain the size of the dump file in bytes. File dumps can be very large.
"forum": "A String", # Optional. Reference to the forum this detail was extracted from. This is deprecated and will be removed.
"malwareFamily": "A String", # Optional. This will indicate the malware family that leaked this credential, if known.
"postedTime": "A String", # Optional. This indicates our best guess as to when the credential was leaked to the particular venue that triggered this finding. This is not necessarily the time the credential was actually leaked and it may not always be be accurate.
"sourceUri": "A String", # Optional. If the source of a credential is publicly addressable this will contain a uri to the where the credential was found.
"userKey": "A String", # Required. This field will always be set and will be used to identify the user named in the credential leak. In cases where customers are authorized to see the actual user key this will be set to the actual user key. In cases where the customer is not authorized to see the actual user key this will be set to a hash of the user key. The hashed value is an intentionally opaque value that is not intended to be used for any other purpose than to uniquely identify the user in the context of this specific customer, service domain, and user name. Example: "user@example.com" or "redacted:".
"userSecretEvidence": "A String", # Optional. Claimed evidence of the password/secret. This will always be hashed. In the event where the plaintext password is known it will be set to "redacted:" where the same hash will be presented when the same password is found for the same organization for the same service. Redaction is done by hashing the password with a salt that is unique to the customer organization and service. In the event where the plaintext password is not known it will be set to ":" where the algorithm is the hash algorithm used and the hash is the hash of the password using that algorithm. In the event we don't know the exact algorithm used we will set it to "hashed:".
},
"dataLeak": { # A detail object for a Data Leak finding. # Data Leak finding detail type.
"documentId": "A String", # Required. The unique identifier of the document that triggered the Data Leak finding. This ID can be used to retrieve the content of the document for further analysis.
"matchScore": 3.14, # Required. Reference to the match score of the Data Leak finding. This is a float value greater than 0 and less than or equal to 1 calculated by the matching engine based on the similarity of the document and the user provided configurations.
"severity": "A String", # Required. The severity of the Data Leak finding. This indicates the potential impact of the threat.
},
"detailType": "A String", # Output only. Name of the detail type. Will be set by the server during creation to the name of the field that is set in the detail union.
"inbandVulnerability": { # This is a temporary detail type that will be used to support vulnerabilities until the engines start using the full vulnerability objects. The "Inband" refers to the fact that all vulnerability details are included with every finding. # Inband vulnerability detail type.
"formattedProofDetails": "A String", # Optional. A short description of the proof of the vulnerability.
"requestUri": "A String", # Optional. The URI that lead to this detection, if appropriate.
"vulnerability": { # Fleshed out vulnerability object that includes enough details to fill out a vulnerability specific view for an issue. # Required. Vulnerability metadata.
"affectedSoftware": [ # Optional. The software that is affected by the vulnerability.
{ # The software that is affected by the vulnerability.
"product": "A String", # Optional. The product of the software.
"vendor": "A String", # Optional. The vendor of the software.
},
],
"authors": [ # Optional. The authors of the vulnerability detection.
"A String",
],
"cveId": "A String", # Required. The CVE ID of the vulnerability.
"cvssV31Score": 3.14, # Required. The CVSS V3.1 score (Base score)for the vulnerability. ( )
"cvssV31ScoreTemporal": 3.14, # Optional. Temporal CVSS V3.1 score for the vulnerability.
"description": "A String", # Optional. The human readable description. This can be basic HTML formatted text.
"disclosureTime": "A String", # Optional. The date the vulnerability was first disclosed.
"exploitationState": "A String", # Optional. Exploitation state of the vulnerability, for example "Available".
"externalVulnerabilityId": "A String", # Required. The external ID of the vulnerability.
"isExploitedWild": True or False, # Optional. Whether this is exploited in the wild.
"referenceUrls": [ # Optional. Reference URLs to the vulnerability.
"A String",
],
"remediation": "A String", # Optional. The human readable remediation recommendation. This can be basic HTML formatted text.
"riskRating": "A String", # Optional. Risk rating for the vulnerability, for example "High".
"title": "A String", # Optional. Human readable name for the vulnerability.
},
},
"initialAccessBroker": { # A detail object for an Initial Access Broker (IAB) finding. # Initial Access Broker finding detail type.
"documentId": "A String", # Required. The unique identifier of the document that triggered the IAB finding. This ID can be used to retrieve the content of the document for further analysis.
"matchScore": 3.14, # Required. Reference to the match score of the IAB finding. This is a float value between 0 and 1 calculated by the matching engine based on the similarity of the document and the user provided configurations.
"severity": "A String", # Required. The severity of the IAB finding. This indicates the potential impact of the threat.
},
"insiderThreat": { # A detail object for a InsiderThreat finding. # Insider Threat finding detail type.
"documentId": "A String", # Required. The unique identifier of the document that triggered the InsiderThreat finding. This ID can be used to retrieve the content of the document for further analysis.
"matchScore": 3.14, # Required. Reference to the match score of the InsiderThreat finding. This is a float value greater than 0 and less than or equal to 1 calculated by the matching engine based on the similarity of the document and the user provided configurations.
"severity": "A String", # Required. The severity of the InsiderThreat finding. This indicates the potential impact of the threat.
},
"misconfiguration": { # Misconfiguration finding detail. # Misconfiguration finding detail type.
"misconfigurationMetadata": { # Misconfiguration metadata. # Required. The misconfiguration metadata.
"description": "A String", # Optional. Description of the misconfiguration.
"displayName": "A String", # Optional. A user-friendly name for the misconfiguration.
"misconfigurationId": "A String", # Required. The identifier for the misconfiguration. This is an internal name generated by the finding provider.
"references": [ # Optional. References to external resources that provide more information about the misconfiguration.
{ # A reference to an external resource that provides more information about a misconfiguration.
"type": "A String", # Required. The type of the reference (e.g., "description", "remediation").
"uri": "A String", # Required. The URI of the reference.
},
],
"remediation": "A String", # Optional. Recommended remediation steps for the misconfiguration.
"vulnerableUri": "A String", # Optional. The endpoint which was found to have the vulnerability.
},
},
"suspiciousDomain": { # A detailed object for a suspicious Domain finding. # Domain Monitoring finding detail type.
"dns": { # The DNS details of the suspicious domain. # The DNS details of the suspicious domain.
"dnsRecords": [ # The DNS records of the suspicious domain.
{ # The DNS record of the suspicious domain.
"record": "A String", # The name of the DNS record.
"ttl": 42, # The TTL of the DNS record.
"type": "A String", # The type of the DNS record.
"value": "A String", # The value of the DNS record.
},
],
"retrievalTime": "A String", # The time the DNS details were retrieved.
},
"domain": "A String", # Required. The suspicious domain name.
"gtiDetails": { # The GTI details of the suspicious domain. # The GTI details of the suspicious domain.
"threatScore": 42, # The threat score of the suspicious domain. The threat score is a number between 0 and 100.
"verdict": "A String", # Output only. The verdict of the suspicious domain.
"virustotalUri": "A String", # VirusTotal link for the domain
},
"matchScore": 3.14, # Required. Reference to the match score of the finding. This is a float value between 0 and 1 calculated by the matching engine.
"severity": "A String", # Required. The severity of the finding. This indicates the potential impact of the threat.
"whois": { # The whois details of the suspicious domain. # The whois details of the suspicious domain.
"retrievalTime": "A String", # The time the whois details were retrieved.
"whois": "A String", # The whois details of the suspicious domain.
},
},
"targetTechnology": { # Contains details for a technology watchlist finding. # Technology Watchlist finding detail type.
"vulnerabilityMatch": { # Contains details about a vulnerability match. # Output only. The vulnerability match details.
"associations": [ # Optional. Associated threat actors, malware, etc. This is embedded as a snapshot because the details of the association at the time of the vulnerability match are important for context and reporting.
{ # Represents an association with a vulnerability.
"id": "A String", # Required. The ID of the association.
"type": "A String", # Required. The type of the association.
},
],
"collectionId": "A String", # Output only. The collection ID of the vulnerability. Ex: "vulnerability--cve-2025-9876".
"cveId": "A String", # Output only. The CVE ID of the vulnerability. Ex: "CVE-2025-9876". See https://www.cve.org/ for more information.
"cvss3Score": 3.14, # Output only. The CVSS v3 score of the vulnerability. Example: 6.4.
"description": "A String", # Output only. A description of the vulnerability.
"exploitationState": "A String", # Output only. The exploitation state of the vulnerability.
"riskRating": "A String", # Output only. The risk rating of the vulnerability.
"technologies": [ # Output only. The affected technologies. Ex: "Apache Struts".
"A String",
],
},
},
},
"displayName": "A String", # Required. A short descriptive title for the finding <= 250 chars. EX: "Actor 'baddy' offering $1000 for credentials of 'goodguy'".
"issue": "A String", # Optional. Optional - name of the issue that this finding is bound to. Format: vaults/{vault}/issues/{issue}
"name": "A String", # Identifier. Server generated name for the finding (leave clear during creation). Format: vaults/{vault}/findings/{finding}
"provider": "A String", # Required. Logical source of this finding (name of the sub-engine).
"relevanceAnalysis": { # Structured relevance analysis for a threat. # Output only. High-Precision Relevance Analysis verdict for the finding.
"confidence": "A String", # The level of confidence in the given verdict.
"evidence": { # Details the evidence used to determine the relevance verdict. # Evidence supporting the verdict, including matched and unmatched items.
"commonThemes": [ # A list of semantic themes or concepts found to be common, related, or aligned between the sources, supporting the verdict.
"A String",
],
"distinctThemes": [ # A list of semantic themes or descriptions unique to one source or semantically distant.
"A String",
],
},
"reasoning": "A String", # Human-readable explanation from the matcher, detailing why a particular result is considered relevant or not relevant.
"relevanceLevel": "A String", # The level of relevance.
"relevant": True or False, # Indicates whether the threat is considered relevant.
},
"reoccurrenceTimes": [ # Output only. When identical finding (same labels and same details) has re-occurred.
"A String",
],
"severity": 3.14, # Optional. Deprecated: Use the `severity_analysis` field instead. Base severity score from the finding source.
"severityAnalysis": { # Structured severity analysis for a threat. # Output only. High-Precision Severity Analysis verdict for the finding.
"confidence": "A String", # The level of confidence in the given verdict.
"reasoning": "A String", # Human-readable explanation from the model, detailing why a particular result is considered to have a certain severity.
"severityLevel": "A String", # The level of severity.
},
},
],
"nextPageToken": "A String", # Page token.
}
list_next()
Retrieves the next page of results.
Args:
previous_request: The request for the previous page. (required)
previous_response: The response from the request for the previous page. (required)
Returns:
A request object that you can call 'execute()' on to request the next
page. Returns None if there are no more items in the collection.
search(parent, orderBy=None, pageSize=None, pageToken=None, query=None, x__xgafv=None)
SearchFindings is a more powerful version of ListFindings that supports complex queries like "findings for issues" using functions such as `has_issue` and `has_asset` in the query string. Example to search for findings for a specific issue: `has_issue("name=\"vaults/vault-12345/issues/issue-12345\"")`)
Args:
parent: string, Required. Parent of the findings. Format: vaults/{vault} (required)
orderBy: string, Optional. Order by criteria in the csv format: "field1,field2 desc" or "field1,field2" or "field1 asc, field2".
pageSize: integer, Optional. Page size.
pageToken: string, Optional. Page token.
query: string, Optional. Query on what findings will be returned. This supports the same filter criteria as FindingService.ListFindings as well as the following relationship queries `has_issue` and `has_asset`. Examples: - has_issue("name=\"vaults/vault-12345/issues/issue-12345\"") - has_asset("name=\"vaults/vault-12345/assets/asset-12345\"")
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Response message for SearchFindings.
"findings": [ # List of findings.
{ # A ‘stateless’ and a point in time event that a check produced a result of interest.
"aiSummary": "A String", # Optional. AI summary of the finding.
"alert": "A String", # Optional. Name of the alert that this finding is bound to.
"asset": "A String", # Optional. Optional - asset name if known. Format: vaults/{vault}/assets/{asset}
"audit": { # Tracks basic CRUD facts. # Output only. Audit data about the finding.
"createTime": "A String", # Output only. Time of creation.
"creator": "A String", # Output only. Agent that created or updated the record, could be a UserId or a JobId.
"updateTime": "A String", # Output only. Time of creation or last update.
"updater": "A String", # Output only. Agent that last updated the record, could be a UserId or a JobId.
},
"configurations": [ # Optional. Configuration names that are bound to this finding.
"A String",
],
"detail": { # Wrapper class that contains the union struct for all the various findings detail specific classes. # Required. Holder of the domain specific details of the finding.
"compromisedCredentials": { # Sample compromised credential detail. # Compromised Credentials detail type.
"author": "A String", # Optional. Reference to the author this detail was extracted from. This is deprecated and will be removed.
"credentialService": "A String", # Optional. Claimed site the credential is intended for.
"darkWebDoc": "A String", # Optional. Reference to the dark web document. This is deprecated and will be removed.
"externalReferenceUri": "A String", # Optional. This will contain a link to the external reference for this credential. If set, this is a link back to the DTM product to allow customers to get additional context about this finding.
"fileDump": "A String", # Optional. If the source of the credential was from a file dump this will contain the name of the file the credential was found in. This can be used by customers for context on where the credential was found and to try to find other references to the file in the wild.
"fileDumpHashes": [ # Optional. A list of hashes of the file dump. These will be prefixed with the algorithm. Example: "sha256:"
"A String",
],
"fileDumpSizeBytes": "A String", # Optional. If file_dump is set this will contain the size of the dump file in bytes. File dumps can be very large.
"forum": "A String", # Optional. Reference to the forum this detail was extracted from. This is deprecated and will be removed.
"malwareFamily": "A String", # Optional. This will indicate the malware family that leaked this credential, if known.
"postedTime": "A String", # Optional. This indicates our best guess as to when the credential was leaked to the particular venue that triggered this finding. This is not necessarily the time the credential was actually leaked and it may not always be be accurate.
"sourceUri": "A String", # Optional. If the source of a credential is publicly addressable this will contain a uri to the where the credential was found.
"userKey": "A String", # Required. This field will always be set and will be used to identify the user named in the credential leak. In cases where customers are authorized to see the actual user key this will be set to the actual user key. In cases where the customer is not authorized to see the actual user key this will be set to a hash of the user key. The hashed value is an intentionally opaque value that is not intended to be used for any other purpose than to uniquely identify the user in the context of this specific customer, service domain, and user name. Example: "user@example.com" or "redacted:".
"userSecretEvidence": "A String", # Optional. Claimed evidence of the password/secret. This will always be hashed. In the event where the plaintext password is known it will be set to "redacted:" where the same hash will be presented when the same password is found for the same organization for the same service. Redaction is done by hashing the password with a salt that is unique to the customer organization and service. In the event where the plaintext password is not known it will be set to ":" where the algorithm is the hash algorithm used and the hash is the hash of the password using that algorithm. In the event we don't know the exact algorithm used we will set it to "hashed:".
},
"dataLeak": { # A detail object for a Data Leak finding. # Data Leak finding detail type.
"documentId": "A String", # Required. The unique identifier of the document that triggered the Data Leak finding. This ID can be used to retrieve the content of the document for further analysis.
"matchScore": 3.14, # Required. Reference to the match score of the Data Leak finding. This is a float value greater than 0 and less than or equal to 1 calculated by the matching engine based on the similarity of the document and the user provided configurations.
"severity": "A String", # Required. The severity of the Data Leak finding. This indicates the potential impact of the threat.
},
"detailType": "A String", # Output only. Name of the detail type. Will be set by the server during creation to the name of the field that is set in the detail union.
"inbandVulnerability": { # This is a temporary detail type that will be used to support vulnerabilities until the engines start using the full vulnerability objects. The "Inband" refers to the fact that all vulnerability details are included with every finding. # Inband vulnerability detail type.
"formattedProofDetails": "A String", # Optional. A short description of the proof of the vulnerability.
"requestUri": "A String", # Optional. The URI that lead to this detection, if appropriate.
"vulnerability": { # Fleshed out vulnerability object that includes enough details to fill out a vulnerability specific view for an issue. # Required. Vulnerability metadata.
"affectedSoftware": [ # Optional. The software that is affected by the vulnerability.
{ # The software that is affected by the vulnerability.
"product": "A String", # Optional. The product of the software.
"vendor": "A String", # Optional. The vendor of the software.
},
],
"authors": [ # Optional. The authors of the vulnerability detection.
"A String",
],
"cveId": "A String", # Required. The CVE ID of the vulnerability.
"cvssV31Score": 3.14, # Required. The CVSS V3.1 score (Base score)for the vulnerability. ( )
"cvssV31ScoreTemporal": 3.14, # Optional. Temporal CVSS V3.1 score for the vulnerability.
"description": "A String", # Optional. The human readable description. This can be basic HTML formatted text.
"disclosureTime": "A String", # Optional. The date the vulnerability was first disclosed.
"exploitationState": "A String", # Optional. Exploitation state of the vulnerability, for example "Available".
"externalVulnerabilityId": "A String", # Required. The external ID of the vulnerability.
"isExploitedWild": True or False, # Optional. Whether this is exploited in the wild.
"referenceUrls": [ # Optional. Reference URLs to the vulnerability.
"A String",
],
"remediation": "A String", # Optional. The human readable remediation recommendation. This can be basic HTML formatted text.
"riskRating": "A String", # Optional. Risk rating for the vulnerability, for example "High".
"title": "A String", # Optional. Human readable name for the vulnerability.
},
},
"initialAccessBroker": { # A detail object for an Initial Access Broker (IAB) finding. # Initial Access Broker finding detail type.
"documentId": "A String", # Required. The unique identifier of the document that triggered the IAB finding. This ID can be used to retrieve the content of the document for further analysis.
"matchScore": 3.14, # Required. Reference to the match score of the IAB finding. This is a float value between 0 and 1 calculated by the matching engine based on the similarity of the document and the user provided configurations.
"severity": "A String", # Required. The severity of the IAB finding. This indicates the potential impact of the threat.
},
"insiderThreat": { # A detail object for a InsiderThreat finding. # Insider Threat finding detail type.
"documentId": "A String", # Required. The unique identifier of the document that triggered the InsiderThreat finding. This ID can be used to retrieve the content of the document for further analysis.
"matchScore": 3.14, # Required. Reference to the match score of the InsiderThreat finding. This is a float value greater than 0 and less than or equal to 1 calculated by the matching engine based on the similarity of the document and the user provided configurations.
"severity": "A String", # Required. The severity of the InsiderThreat finding. This indicates the potential impact of the threat.
},
"misconfiguration": { # Misconfiguration finding detail. # Misconfiguration finding detail type.
"misconfigurationMetadata": { # Misconfiguration metadata. # Required. The misconfiguration metadata.
"description": "A String", # Optional. Description of the misconfiguration.
"displayName": "A String", # Optional. A user-friendly name for the misconfiguration.
"misconfigurationId": "A String", # Required. The identifier for the misconfiguration. This is an internal name generated by the finding provider.
"references": [ # Optional. References to external resources that provide more information about the misconfiguration.
{ # A reference to an external resource that provides more information about a misconfiguration.
"type": "A String", # Required. The type of the reference (e.g., "description", "remediation").
"uri": "A String", # Required. The URI of the reference.
},
],
"remediation": "A String", # Optional. Recommended remediation steps for the misconfiguration.
"vulnerableUri": "A String", # Optional. The endpoint which was found to have the vulnerability.
},
},
"suspiciousDomain": { # A detailed object for a suspicious Domain finding. # Domain Monitoring finding detail type.
"dns": { # The DNS details of the suspicious domain. # The DNS details of the suspicious domain.
"dnsRecords": [ # The DNS records of the suspicious domain.
{ # The DNS record of the suspicious domain.
"record": "A String", # The name of the DNS record.
"ttl": 42, # The TTL of the DNS record.
"type": "A String", # The type of the DNS record.
"value": "A String", # The value of the DNS record.
},
],
"retrievalTime": "A String", # The time the DNS details were retrieved.
},
"domain": "A String", # Required. The suspicious domain name.
"gtiDetails": { # The GTI details of the suspicious domain. # The GTI details of the suspicious domain.
"threatScore": 42, # The threat score of the suspicious domain. The threat score is a number between 0 and 100.
"verdict": "A String", # Output only. The verdict of the suspicious domain.
"virustotalUri": "A String", # VirusTotal link for the domain
},
"matchScore": 3.14, # Required. Reference to the match score of the finding. This is a float value between 0 and 1 calculated by the matching engine.
"severity": "A String", # Required. The severity of the finding. This indicates the potential impact of the threat.
"whois": { # The whois details of the suspicious domain. # The whois details of the suspicious domain.
"retrievalTime": "A String", # The time the whois details were retrieved.
"whois": "A String", # The whois details of the suspicious domain.
},
},
"targetTechnology": { # Contains details for a technology watchlist finding. # Technology Watchlist finding detail type.
"vulnerabilityMatch": { # Contains details about a vulnerability match. # Output only. The vulnerability match details.
"associations": [ # Optional. Associated threat actors, malware, etc. This is embedded as a snapshot because the details of the association at the time of the vulnerability match are important for context and reporting.
{ # Represents an association with a vulnerability.
"id": "A String", # Required. The ID of the association.
"type": "A String", # Required. The type of the association.
},
],
"collectionId": "A String", # Output only. The collection ID of the vulnerability. Ex: "vulnerability--cve-2025-9876".
"cveId": "A String", # Output only. The CVE ID of the vulnerability. Ex: "CVE-2025-9876". See https://www.cve.org/ for more information.
"cvss3Score": 3.14, # Output only. The CVSS v3 score of the vulnerability. Example: 6.4.
"description": "A String", # Output only. A description of the vulnerability.
"exploitationState": "A String", # Output only. The exploitation state of the vulnerability.
"riskRating": "A String", # Output only. The risk rating of the vulnerability.
"technologies": [ # Output only. The affected technologies. Ex: "Apache Struts".
"A String",
],
},
},
},
"displayName": "A String", # Required. A short descriptive title for the finding <= 250 chars. EX: "Actor 'baddy' offering $1000 for credentials of 'goodguy'".
"issue": "A String", # Optional. Optional - name of the issue that this finding is bound to. Format: vaults/{vault}/issues/{issue}
"name": "A String", # Identifier. Server generated name for the finding (leave clear during creation). Format: vaults/{vault}/findings/{finding}
"provider": "A String", # Required. Logical source of this finding (name of the sub-engine).
"relevanceAnalysis": { # Structured relevance analysis for a threat. # Output only. High-Precision Relevance Analysis verdict for the finding.
"confidence": "A String", # The level of confidence in the given verdict.
"evidence": { # Details the evidence used to determine the relevance verdict. # Evidence supporting the verdict, including matched and unmatched items.
"commonThemes": [ # A list of semantic themes or concepts found to be common, related, or aligned between the sources, supporting the verdict.
"A String",
],
"distinctThemes": [ # A list of semantic themes or descriptions unique to one source or semantically distant.
"A String",
],
},
"reasoning": "A String", # Human-readable explanation from the matcher, detailing why a particular result is considered relevant or not relevant.
"relevanceLevel": "A String", # The level of relevance.
"relevant": True or False, # Indicates whether the threat is considered relevant.
},
"reoccurrenceTimes": [ # Output only. When identical finding (same labels and same details) has re-occurred.
"A String",
],
"severity": 3.14, # Optional. Deprecated: Use the `severity_analysis` field instead. Base severity score from the finding source.
"severityAnalysis": { # Structured severity analysis for a threat. # Output only. High-Precision Severity Analysis verdict for the finding.
"confidence": "A String", # The level of confidence in the given verdict.
"reasoning": "A String", # Human-readable explanation from the model, detailing why a particular result is considered to have a certain severity.
"severityLevel": "A String", # The level of severity.
},
},
],
"nextPageToken": "A String", # Page token.
}
search_next()
Retrieves the next page of results.
Args:
previous_request: The request for the previous page. (required)
previous_response: The response from the request for the previous page. (required)
Returns:
A request object that you can call 'execute()' on to request the next
page. Returns None if there are no more items in the collection.