This document explains the concept of ownership for posture findings and the flow of determining the resource owner for a finding in Security Command Center Enterprise.
The SCC Enterprise - Urgent Posture Findings Connector is a functionality powered by Google Security Operations.
Overview
Security Command Center requires a valid resource owner value to know what case to ingest the finding into, define whom to automatically assign a ticket to, and ensure that all findings grouped into a case belong to the same owner even if you customize the grouping settings.
For more information about findings grouping mechanism, feref to Group findings in cases.
Determine the ownership for posture findings
The flow of determining the resource owner for posture findings is as follows:
Cloud tags. For more information, see Creating and managing tags.
Upon receiving a finding, the SCC Enterprise - Urgent Posture Findings Connector analyzes it for the cloud tag value inherited from the finding resource and contained in the Owner Tag Name parameter.
If a finding possesses a cloud tag with the email of a resource owner, the connector ingests the finding and assigns it to the resource owner defined in a cloud tag.
Essential Contacts. For more information, see Managing contacts for notifications in the Resource Manager documentation.
If a finding hasn't inherited any cloud tags, then the connector attempts to define the resource owner using Essential Contacts.
If a finding has any contacts inherited from its resource, the connector ingests the finding and assigns it to the owner stated in contacts.
If there are several values (emails) in the contacts, the first value in the list defines the resource owner.
The Fallback Owner parameter in the SCC Enterprise - Urgent Posture Findings Connector.
If a finding hasn't inherited any cloud tags or Essential Contacts, the connector ingests the finding and assigns it to the owner defined in the connector's Fallback Owner parameter.
To configure the Fallback Owner parameter, follow these steps:
In the Security Operations console, go to Settings > Ingestion > Connectors.
Select the SCC Enterprise - Urgent Posture Findings Connector. The connector parameter configuration page opens.
In the Fallback Owner parameter field, enter the email of the default assignee to remediate findings. The email should be assignable in your ticketing system.
We recommend using cloud tags for all your Google Cloud resources to make sure that every finding automatically inherits correct tags with defined owners and is assigned to a correct person. Using cloud tags is the most accurate method to determine the resource owner while ensuring that the hierarchy of your Google Cloud resources is correct.
What's next?
- Learn how to assign tickets in cases.
- Learn the concepts of cases in Cases overview.