如需详细了解如何在 Security Command Center Enterprise 中定义资源所有者,请参阅确定姿态发现结果的所有权。
创建案例和对发现结果进行分组
连接器提取发现结果后,Security Command Center 会将该发现结果转发给新的支持请求(如果该发现结果是同类中的第一个),或者转发给现有的支持请求(如果该发现结果的参数符合分组机制)。在支持案例中,发现结果会成为事件,提醒会基于该事件生成。从本质上讲,提醒是一个发现结果容器,其中包含有关发现结果的所有信息。
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-09-05。"],[],[],null,["| Enterprise [service tier](/security-command-center/docs/service-tiers)\n\nThis page documents the mechanism of an automatic ticket assignment in\nSecurity Command Center Enterprise and explains how to manually assign or reassign\ntickets using the Security Operations console.\n\nOverview\n\nA ticket assignee is a person responsible for addressing and remediating the\nvulnerabilities. The ticket is assigned to the respective assignee automatically\nbased on either the resource owner value inherited by the finding through the\nGoogle Cloud [resource hierarchy](/resource-manager/docs/cloud-platform-resource-hierarchy)\nor the value configured in the connector's **Fallback Owner** parameter.\n\nAssign tickets automatically\n\nThe default automatic flow for assigning a ticket consists of the\nfollowing steps:\n\n1. Determining the resource owner of a finding.\n\n2. Creating cases and grouping related findings into them.\n\n3. Creating and assigning tickets based on cases.\n\nDetermining the resource owner\n\nWhile ingesting and grouping findings into cases, the **SCC\nEnterprise - Urgent Posture Findings Connector** analyzes every finding for the\nresource owner and fallback owner values. The fallback owner value configured in\nthe **Fallback Owner** connector parameter is the final option to ensure that a\ncustom finding is assigned to a correct person for remediation when all other\nprioritized options failed.\n\nFor more information about defining the resource owner in Security Command Center\nEnterprise, refer to [Determine ownership for posture\nfindings](/security-command-center/docs/determine-ownership-posture-findings).\n\nCreating cases and grouping findings\n\nAfter the connector has ingested a finding, Security Command Center\nforwards the finding to a new case if the finding is first of a kind, or an\nexisting case if the finding parameters comply with a grouping mechanism. In a\ncase, the finding becomes an *event* which the *alert* is based on. Essentially,\nan alert is a finding container that includes all information about a finding.\n\nTo learn more about how findings are grouped into cases, see [Group findings in\ncases](/security-command-center/docs/group-findings-in-cases).\n\nCreating and assigning tickets\n\nCreating a case automatically creates a ticket in an integrated ticketing\nsystem. All information contained in a case\nis bidirectionally synchronized with a corresponding ticket, meaning that every\ntime there is an update in a case like a new finding, a new comment, or a status\nchange, the same update appears in the ticket and the other way around.\n\nSecurity Command Center Enterprise automatically assigns the created ticket to\nthe resource owner of findings grouped in a case. All findings in a case have\nthe same resource owner.\n| **Important:** When using a ticketing system like Jira or ServiceNow to manage tickets, make sure to provide the assignable email (ldap) of the resource owner in your ticketing system, not the username.\n\nAssign tickets manually\n\nAssigning tickets manually in requires you to run manual actions on cases.\n\nAssign Jira issues in cases\n\nTo manually assign a Jira issue in a case, complete the following steps:\n\n1. In the Google Cloud console, go to **Risk \\\u003e Cases**.\n2. Select a case related to the ITSM ticket.\n3. In the **Case Overview** tab, click **Manual Action**.\n4. In the manual action **Search** field, enter `Jira`.\n5. In the search results under the **Jira** integration, select the **Assign\n Issue** action. The action dialog window opens.\n6. To configure the **Issue Key** parameter, enter the following placeholder:\n `[Case.Ticket_ID]`\n\n The placeholder dynamically retrieves the Jira issue ID corresponding to the\n selected case.\n 1. To configure the **Issue Key** parameter for a specific issue, enter the **Jira issue ID** in the following format: `SCCE-`\u003cvar class=\"edit\" translate=\"no\"\u003eNUMBER\u003c/var\u003e\n\n You can find the issue ID in the Jira issue URL: \n\n https://\u003cvar translate=\"no\"\u003eYOUR_INSTANCE_NAME\u003c/var\u003e.atlassian.net/browse/\u003cvar translate=\"no\"\u003eISSUE_ID\u003c/var\u003e\n\n7. To configure the **Assignee** parameter, enter the email address of the Jira\n ticket assignee.\n\n Alternatively, you can enter the name of the ticket assignee as it is\n displayed in Jira. The action supports using usernames or displayed\n names.\n8. Click **Execute**.\n\nAssign ServiceNow tickets in cases\n\nTo manually assign a ServiceNow ticket in a case, complete the\nfollowing steps:\n\n1. Retrieve the `sys_id` value to obtain the ServiceNow assignee ID.\n2. Assign the ServiceNow ticket.\n\nRetrieve the `sys_id` value\n\n1. In the Google Cloud console, go to **Risk \\\u003e Cases**.\n2. Select a case related to the ServiceNow ticket.\n3. In the **Case Overview** tab, click **Manual Action**.\n4. In the manual action **Search** field, enter `ServiceNow`.\n5. In the search results, select the **Get\n User Details** action. The action dialog window opens.\n6. To configure the **Emails** parameter field, enter the email address of the ServiceNow ticket assignee.\n7. Click **Execute**. Wait until the action is executed.\n8. Go to the **Case Wall** , and then click **Refresh Case**.\n9. In the **ServiceNow_Get User Details** data record, click **View more**.\n10. In the **JSON Result** section, find the **`sys_id`** key and save its value to use it in the following section.\n\nAssign the ServiceNow ticket\n\n1. Go to the **Case Overview** tab, and then click **Manual Action**.\n2. In the manual action **Search** field, enter `ServiceNow`.\n3. In the search results under the **ServiceNow** integration, select the **Update Record** action. The action dialog window opens.\n4. To configure the **Table Name** parameter, enter the following value: `u_scc_enterprise_cloud_posture_ticket`\n5. To configure the **Object Json Data** parameter, enter the following code:\n\n {\n \"u_assigned_to\": \"\u003cvar class=\"edit\" translate=\"no\"\u003eSYS_ID_VALUE\u003c/var\u003e\"\n }\n\n In the code, use the **`sys_id`** value that you retrieved in the previous\n section.\n6. To configure the **Record Sys ID** parameter, enter the following placeholder:\n `[Case.Ticket_ID]`\n\n The placeholder dynamically retrieves the ServiceNow ticket ID corresponding\n to the selected case.\n\n Alternatively, for the **Record Sys ID** parameter, you can provide a\n **Ticket ID** (**Case Overview** \\\u003e **Ticket Information** widget\n \\\u003e **Ticket ID**).\n7. Click **Execute**.\n\nWhat's next?\n\nLearn how you can [group findings in cases](/security-command-center/docs/group-findings-in-cases).\n\nLearn how you can [mute findings in Security Command Center](/security-command-center/docs/how-to-mute-findings).\n\nLearn how you can [mute findings in cases](/security-command-center/docs/mute-findings-in-cases)."]]
