Group findings in cases

This document explains how you can group findings into cases in the Enterprise tier of Security Command Center.

Overview

The findings grouping mechanism automatically groups ingested findings into cases. By default, this grouping mechanism ensures that all findings in a case belong to the same:

  • Resource owner
  • Google Cloud project
  • AWS account
  • Asset type
  • Category
  • Severity level

Configure grouping settings

To configure the default grouping settings applicable to all ingested findings, follow these steps:

  1. In the Security Operations console, go to Settings > Ingestion > Connectors.

  2. Select SCC Enterprise - Urgent Posture Findings Connector.

  3. To customize the grouping mechanism and disable specific grouping options, clear the checkboxes for one or more of the following parameters:

    • Group by AWS Account
    • Group by GCP Project
    • Group by Severity
    • Group by Asset Type

By default, the following grouping settings apply to ingested findings:

  • Group by AWS Account: Findings are grouped according to the AWS accounts they belong to.

  • Group by GCP Project: Findings are grouped according to the Google Cloud projects they belong to.

  • Group by Severity: Findings are grouped according to their severity level, such as HIGH or MEDIUM.

  • Group by Asset Type: Findings are grouped according to their asset type (Google Cloud resource type), such as Compute Engine instance or IAM service account.

All findings grouped into a case belong to the same owner. To ensure that findings are grouped correctly, including findings with no inherited Google Cloud tags or Essential Contacts, always configure the connector Fallback Owner parameter.

Example: How the grouping mechanism works

In this example, only findings from Google Cloud are used.

The connector ingests four findings with different severities and different values inherited from their respective Google Cloud resources:

Finding 1: Severity: Critical, Asset Type: Compute, Project: Project_1

Finding 2: Severity: Critical, Asset Type: IAM, Project: Project_2

Finding 3: Severity: High, Asset Type: Compute, Project: Project_1

Finding 4: Severity: High, Asset Type: Compute, Project: Project_2

Default grouping mechanism

Default settings mean that the findings are grouped according to their respective projects, asset types, and severity property.

In this example, every finding is included in a different case.

  • Case 1:

    • Finding 1: Severity: Critical, Asset Type: Compute, Project: Project_1
  • Case 2:

    • Finding 2: Severity: Critical, Asset Type: IAM, Project: Project_2
  • Case 3:

    • Finding 3: Severity: High, Asset Type: Compute, Project: Project_1
  • Case 4:

    • Finding 4: Severity: High, Asset Type: Compute, Project: Project_2

Custom grouping mechanism

Selecting only the Group by GCP Project checkbox automatically groups findings according to their Google Cloud projects so that a case only contains findings belonging to the same project:

  • Case 1:

    • Finding 1: Severity Critical, Asset Type: Compute, Project: Project_1
    • Finding 3: Severity High, Asset Type: Compute, Project: Project_1
  • Case 2:

    • Finding 2: Severity Critical, Asset Type: IAM, Project: Project_2
    • Finding 4: Severity High, Asset Type: Compute, Project: Project_2

Selecting only the Group by Severity checkbox automatically groups findings according to their severities so that a case only contains findings with the same severity level:

  • Case 1:

    • Finding 1: Severity: Critical, Asset Type: Compute, Project: Project_1
    • Finding 2: Severity: Critical, Asset Type: IAM, Project: Project_2
  • Case 2:

    • Finding 3: Severity: High, Asset Type: Compute, Project: Project_1
    • Finding 4: Severity: High, Asset Type: Compute, Project: Project_2

Selecting only the Group by Asset Type checkbox automatically groups findings according to their asset types (resource types in Google Cloud) so that a case only contains findings belonging to the same resource:

  • Case 1:

    • Finding 1: Severity: Critical, Asset Type: Compute, Project: Project_1
    • Finding 3: Severity: High, Asset Type: Compute, Project: Project_1
    • Finding 4: Severity: High, Asset Type: Compute, Project: Project_2
  • Case 2:

    • Finding 2: Severity: Critical, Asset Type: IAM, Project: Project_2

Selecting both Group by GCP Project and Group by Severity checkboxes automatically groups findings according to their respective projects and severity levels so that a case only contains findings belonging to the same project and possessing the same severity. In this example, the connector creates four following cases:

  • Case 1:

    • Finding 1: Severity: Critical, Asset Type: Compute, Project: Project_1
  • Case 2:

    • Finding 2: Severity: Critical, Resource Type: IAM, Project: Project_2
  • Case 3:

    • Finding 3: Severity: High, Resource Type: Compute, Project: Project_1
  • Case 4:

    • Finding 4: Severity: High, Resource Type: Compute, Project: Project_2

What's next?

  • Learn more about alerts in the Google SecOps documentation.