Determine ownership for posture findings

This document explains the concept of ownership for posture findings and the flow of determining the resource owner for a finding in Security Command Center Enterprise.

Overview

Security Command Center requires a valid resource owner value to know what case to ingest the finding into, define whom to automatically assign a ticket to, and ensure that all findings grouped into a case belong to the same owner even if you customize the grouping settings.

For more information about findings grouping mechanism, refer to Group findings in cases.

Determine the ownership for posture findings

The flow of determining the resource owner for posture findings is as follows:

1. Cloud tags. For more information, see Creating and managing tags.

   Upon receiving a finding, the SCC Enterprise - Urgent Posture Findings Connector analyzes it for the cloud tag value inherited from the finding resource and contained in the Owner Tag Name parameter.

   If a finding possesses a cloud tag with the email of a resource owner, the connector ingests the finding and assigns it to the resource owner defined in a cloud tag.

2. Essential Contacts. For more information, see Managing contacts for notifications in the Resource Manager documentation.

   If a finding hasn't inherited any cloud tags, then the connector attempts to define the resource owner using Essential Contacts.

   If a finding has any contacts inherited from its resource, the connector ingests the finding and assigns it to the owner stated in contacts.

   If there are several values (emails) in the contacts, the first value in the list defines the resource owner.

3. The Fallback Owner parameter in the SCC Enterprise - Urgent Posture Findings Connector.

   If a finding hasn't inherited any cloud tags or Essential Contacts, the connector ingests the finding and assigns it to the owner defined in the connector's Fallback Owner parameter.

   To configure the Fallback Owner parameter, follow these steps:

   1. In the Google Cloud console, go to Settings > SOAR settings to open the SOAR settings page.

   2. In the Security Operations console Settings navigation, go to Ingestion > Connectors.

   3. Select the SCC Enterprise - Urgent Posture Findings Connector. The connector parameter configuration page opens.

   4. In the Fallback Owner parameter field, enter the email of the default assignee to remediate findings. The email should be assignable in your ticketing system.

What's next?

• Learn how to assign tickets in cases.
• Learn the concepts of cases in Cases overview.