Stay organized with collections
Save and categorize content based on your preferences.
This document explains the concept of ownership for posture findings and the flow
of determining the resource owner for a finding in Security Command Center Enterprise.
Overview
Security Command Center requires a valid resource owner value to know what case to ingest
the finding into, define whom to automatically assign a ticket to, and ensure
that all findings grouped into a case belong to the same owner even if you
customize the grouping settings.
Upon receiving a finding, the SCC Enterprise - Urgent Posture Findings
Connector analyzes it for the cloud tag value inherited from the finding
resource and contained in the Owner Tag Name parameter.
If a finding possesses a cloud tag with the email of a resource owner, the
connector ingests the finding and assigns it to the resource
owner defined in a cloud tag.
If a finding hasn't inherited any cloud tags, then the connector attempts to
define the resource owner using Essential Contacts.
If a finding has any contacts inherited from its resource, the connector
ingests the finding and assigns it to the owner stated in contacts.
If there are several values (emails) in the contacts, the first value in the
list defines the resource owner.
The Fallback Owner parameter in the SCC Enterprise - Urgent Posture
Findings Connector.
If a finding hasn't inherited any cloud tags or
Essential Contacts, the connector ingests the finding and
assigns it to the owner defined in the connector's Fallback Owner
parameter.
To configure the Fallback Owner parameter, follow these steps:
In the Google Cloud console, go to Settings > SOAR settings
to open the SOAR settings page.
In the Security Operations console Settings navigation, go to Ingestion
> Connectors.
Select the SCC Enterprise - Urgent Posture Findings Connector.
The connector parameter configuration page opens.
In the Fallback Owner parameter field, enter the email of the default
assignee to remediate findings. The email should be assignable in your
ticketing system.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["| Enterprise [service tier](/security-command-center/docs/service-tiers)\n\nThis document explains the concept of ownership for posture findings and the flow\nof determining the resource owner for a finding in Security Command Center Enterprise.\n\nOverview\n\nSecurity Command Center requires a valid resource owner value to know what case to ingest\nthe finding into, define whom to automatically assign a ticket to, and ensure\nthat all findings grouped into a case belong to the same owner even if you\ncustomize the grouping settings.\n\nFor more information about findings grouping mechanism, refer to [Group findings\nin cases](/security-command-center/docs/group-findings-in-cases).\n\nDetermine the ownership for posture findings\n\nThe flow of determining the resource owner for posture findings is as follows:\n\n1. Cloud tags. For more information, see [Creating and managing tags](/resource-manager/docs/tags/tags-creating-and-managing).\n\n Upon receiving a finding, the **SCC Enterprise - Urgent Posture Findings\n Connector** analyzes it for the cloud tag value inherited from the finding\n resource and contained in the **Owner Tag Name** parameter.\n\n If a finding possesses a cloud tag with the email of a resource owner, the\n connector ingests the finding and assigns it to the resource\n owner defined in a cloud tag.\n2. Essential Contacts. For more information, see [Managing contacts for\n notifications](/resource-manager/docs/managing-notification-contacts) in the\n Resource Manager documentation.\n\n If a finding hasn't inherited any cloud tags, then the connector attempts to\n define the resource owner using Essential Contacts.\n\n If a finding has any contacts inherited from its resource, the connector\n ingests the finding and assigns it to the owner stated in contacts.\n\n If there are several values (emails) in the contacts, the first value in the\n list defines the resource owner.\n3. The **Fallback Owner** parameter in the **SCC Enterprise - Urgent Posture\n Findings Connector**.\n\n If a finding hasn't inherited any cloud tags or\n Essential Contacts, the connector ingests the finding and\n assigns it to the owner defined in the connector's **Fallback Owner**\n parameter.\n\n To configure the **Fallback Owner** parameter, follow these steps:\n 1. In the Google Cloud console, go to **Settings \\\u003e SOAR settings** to open the **SOAR settings** page.\n 2. In the Security Operations console **Settings** navigation, go to **Ingestion\n \\\u003e Connectors**.\n\n 3. Select the **SCC Enterprise - Urgent Posture Findings Connector**.\n The connector parameter configuration page opens.\n\n 4. In the **Fallback Owner** parameter field, enter the email of the default\n assignee to remediate findings. The email should be assignable in your\n ticketing system.\n\n| **Note:** We recommend using cloud tags for all your Google Cloud resources to make sure that every finding automatically inherits correct tags with defined owners and is assigned to a correct person. Using cloud tags is the most accurate method to determine the resource owner while ensuring that the hierarchy of your Google Cloud resources is correct.\n\nWhat's next?\n\n- Learn how to [assign tickets in cases](/security-command-center/docs/assign-itsm-tickets).\n- Learn the concepts of cases in [Cases overview](/security-command-center/docs/cases-overview)."]]
