This page explains how to review cases corresponding to identity and access findings in Security Command Center.
Security Command Center automatically creates cases for findings with a severity of
Critical
or High
.
Before you begin
Make sure you have completed the following tasks before continuing:
- Learn about Security Command Center's CIEM capabilities.
- Set up permissions for CIEM.
- Enable the CIEM detection service for AWS.
- Connect your ticketing system.
View case details in the Security Operations console
To view the case details of an identity and access misconfiguration case from the Findings page, take the following steps:
- From the Identity and access findings pane on the Security Command Center Risk Overview page, click a finding name or the View all identity and access findings link. Security Command Center opens the Findings page with a pre-filtered query for identity and access findings.
Click a finding name in the Category column to open the Finding details pane. Go to the Case information section and click the case ID number in the Case ID row. The Security Operations console Cases window opens in a new tab and displays the Alert tab of that particular case. The Alert tab contains the following information:
- List of alert events associated with the case
- Playbooks attached to the alert
- A finding description
- Next steps for remediation
- Information about the impacted asset
- Ticket information (if you connected your ticketing system to Security Command Center)
If you have connected Security Command Center to Jira or ServiceNow, you can use the ticket ID link to navigate to your ticketing system.
Check the Case Wall tab for details about the activity performed on the case and included alerts.
Check the Case Overview tab for a full overview of the case.
On the Security Operations console Cases page, you can see all the cases created for your environment, not just identity and access cases. You can navigate all existing cases with the Case Queue on the left side of the page. You can also search and filter the queue contents to make it easier to identify cases to focus on.
For more information on working with cases, see Cases overview.
What's next
- Learn how to investigate identity and access findings.
- Learn more about cases from the Google SecOps documentation: