Filter findings in cases

This document explains how to use the filter parameters in the SCC Enterprise - Urgent Posture Findings Connector so that cases contain only findings belonging to specific categories.

The cases, connectors, and the ingestion, filtering, and blocking of findings are a functionality powered by Google Security Operations.

Overview

The Enterprise tier of Security Command Center uses the SCC Enterprise - Urgent Posture Findings Connector to retrieve, analyze, and ingest posture findings into cases. The connector parses the findings raw data to filter and group findings in cases based on the provided configuration.

You can filter findings using the connector parameters to ensure the following:

The connector only ingests findings belonging to specific categories.
The connector excludes findings belonging to specific categories from ingestion.

Configure filters

The connector filter parameters let you specify the categories of findings that are ingested. By default, the connector ingests all types of findings from all your resources and cloud providers. Configuring the default parameter values may impact the case processing flow.

If you configure filter parameters, the connector ingests only the configured finding categories for a selected filter parameter.

To view and edit the connector parameters, complete the following steps:

In the Security Operations console, go to Settings > Ingestion > Connectors.
Select the SCC Enterprise - Urgent Posture Findings Connector. The connector parameters configuration page opens.

All filter parameters accept multiple values as a comma-separated list. To enable specific filters, configure the following optional connector parameters:

GCP Project Filter: Specifies what Google Cloud projects to ingest findings from. You can list one or more project names to ensure the required coverage. If you provide no value for this parameter, the connector ingests findings from all your projects by default.

For example, to make sure that the connector ingests alerts from your example-project-three and example-project-four Google Cloud projects and ignores others, provide the following parameter value: example-project-three,example-project-four.
Asset Type Filter: Specifies what asset types to ingest with no dependency on the cloud provider. You can list one or more resource types to ensure the required filter coverage. If you provide no value for this parameter, the connector ingests asset types from all your connected cloud providers by default.

For example, to make sure that the connector ingests alerts from the Cloud Storage bucket and a Compute Engine instance and ignores other asset types, provide the following parameter value: google.cloud.storage.Bucket,google.compute.Instance.
Cloud Provider Filter: Specifies what cloud providers to ingest alerts from. If you provide no value for this parameter, the connector ingests alerts from all your connected cloud providers by default.

For example, to make sure that the connector ingests alerts from your AWS instance and ignores findings from other providers, configure the following parameter value: AWS. To ingest only Google Cloud findings, set the parameter value to GCP.
AWS Account Filter: Specifies what AWS account IDs to ingest alerts from. If you provide no value for this parameter, the connector ingests findings from all your AWS accounts by default.
Severity Filter: Specifies the severities of findings to ingest.

Warning: Changing the Severity Filter parameter default value from Critical,High to Critical,High,Medium can hinder performance due to an increased volume of findings.

Exclude finding category from ingestion

Use the dynamic list settings to exclude the specific finding categories from ingestion.

To configure the dynamic list, follow these steps:

In the Security Operations console, go to Settings > Ingestion > Connectors.
Select the SCC Enterprise - Urgent Posture Findings Connector. The connector configuration page opens.
In the Dynamic List section, click add Add.
In the Rule name field, provide the name of a finding category to filter:
1. In the Google Cloud console, go to the Overview page.
  
  Go to Overview
2. In the list of vulnerability findings, select the finding category. The finding category window opens.
3. In the JSON tab, find the following line:
```
"category": "FINDING_CATEGORY",
```
4. Copy the FINDING_CATEGORY value (no quotation marks) and provide it in the connector's dynamic list Rule name field.
Optional: Add as many Rule name fields to the dynamic list section as you need.

Note: Only one FINDING_CATEGORY value is allowed for each Rule name field.
In the Parameters section, select Use dynamic list as a blocklist.
Click Save.

What's next?

Have a look at the cases overview.
Learn how to mute findings in cases.
Learn how to ingest your data using connectors.