Cases overview

This document covers the concepts of cases in the Enterprise tier of Security Command Center and explains how to work with them.

The cases, alerts, playbooks, jobs, and connectors functionality are powered by Google Security Operations.

Overview

In Security Command Center, use the case capability to obtain details about findings, attach playbooks to alerts, apply automatic threat responses, and define what posture findings to remediate. Cases help you investigate findings, respond to threats using playbooks, and mitigate vulnerabilities and misconfigurations using ticketing systems.

In Security Command Center, a case is a high-level container for multiple alerts and their related information ingested by the connector. The alert is triggered by one or more security events and enriched using a playbook to collect additional information. Using the collected information, the connector attempts to determine whether a new incoming alert can be grouped into an open existing case with other alerts that are related to the same intrusion.

For more details about cases, see Case overview in the Google SecOps documentation.

Findings flow

In Security Command Center Enterprise, there are two flows for findings:

1. Security Command Center threat findings go through the security information and event management (SIEM) module. After triggering the internal SIEM rules, findings turn into alerts.

   The connector collects the alerts and ingests them into the security orchestration, automation and response (SOAR) module where the playbooks process and enrich the alerts that are grouped into cases.

2. Security Command Center posture findings that consist of vulnerabilities and misconfigurations go directly to SOAR. After the SCC Enterprise - Urgent Posture Findings Connector ingests and groups posture findings as alerts into cases, the playbooks process and enrich alerts.

In Security Command Center Enterprise, the Security Command Center finding becomes a case alert.

Investigating cases

During ingestion, findings are grouped into cases to let the security specialists know what to triage.

Multiple findings with the same parameters are grouped into one case. To learn more, refer to the Group findings in cases. If you are using a ticketing system, such as Jira or ServiceNow, a ticket is created is created based on a case, meaning that there is one ticket for all findings in a case.

Finding severity versus case priority

By default, all findings contained in a case possess the same severity property. You can configure the grouping settings to include findings with different severities into one case.

Case priority is based on the maximum finding severity. For more details, see the following example:

• Case 1: Priority: CRITICAL

  • Finding 1: Severity: HIGH
  • Finding 2: Severity: HIGH
  • Finding 3: Severity: CRITICAL

• Case 2: Priority: HIGH

  • Finding 1: Severity: HIGH
  • Finding 2: Severity: HIGH
  • Finding 3: Severity: HIGH

Reviewing cases

To review a case, take the following steps:

1. In Security Operations console, go to Cases.
2. Select a case to review. The Case View opens, where you can find a finding summary along with all information about an alert or the collection of alerts grouped into a selected case.
3. Check the Case Wall tab for details about the activity performed on the case and included alerts.

4. Go to the Alert tab to get an overview of a finding.

   The Alert tab contains the following information:

   • List of alert events.
   • Playbooks attached to the alert.
   • A finding overview.
   • Information about the impacted asset.
   • Optional: ticket details.

Integrating with ticketing systems

Cases containing vulnerability and misconfiguration findings have related tickets only when you integrate and configure the ticketing system. If you integrate a ticketing system, Security Command Center Enterprise creates tickets based on posture cases and forwards all information collected by playbooks to the ticketing system using the synchronization job.

By default, cases containing threat findings have no related tickets even when you integrate the ticketing system with your Security Command Center Enterprise instance. To use tickets for your threat cases, customize available playbooks by adding an action or create new playbooks.

Case assignee versus ticket assignee

Every finding has a single resource owner at any given time. The resource owner is defined using Google Cloud tags, Essential Contacts, or the Fallback Owner parameter value configured in the SCC Enterprise - Urgent Posture Findings Connector.

If you integrate a ticketing system, the resource owner is the ticket assignee by default. To learn more about automatic and manual ticket assignment, refer to Assign tickets based on posture cases.

The ticket assignee works with findings to remediate them.

The case assignee works with cases in Security Command Center Enterprise and doesn't triage or mitigate findings.

For example, a case assignee can be a Threat Manager or other Security Specialist who collaborates with an engineer (ticket assignee) and verifies that all alerts in a case are addressed. The case assignee never works with ticketing systems.

What's next?

To learn more about cases, refer to the following resources in the Google SecOps documentation:

• Cases overview tab
• What's on the Cases page?
• How to perform a manual action on a case
• How to simulate cases
• Work with playbook blocks