This document explains how you can group findings into cases in the Enterprise tier of Security Command Center.
Overview
The findings grouping mechanism automatically groups ingested findings into cases. By default, this grouping mechanism ensures that all findings in a case belong to the same:
- Resource owner
- Google Cloud project
- AWS account
- Asset type
- Category
- Severity level
Configure grouping settings
To configure the default grouping settings applicable to all ingested findings, follow these steps:
In the Security Operations console, go to Settings > Ingestion > Connectors.
Select SCC Enterprise - Urgent Posture Findings Connector.
To customize the grouping mechanism and disable specific grouping options, clear the checkboxes for one or more of the following parameters:
Group by AWS Account
Group by GCP Project
Group by Severity
Group by Asset Type
By default, the following grouping settings apply to ingested findings:
Group by AWS Account: Findings are grouped according to the AWS accounts they belong to.
Group by GCP Project: Findings are grouped according to the Google Cloud projects they belong to.
Group by Severity: Findings are grouped according to their
severity
level, such asHIGH
orMEDIUM
.Group by Asset Type: Findings are grouped according to their asset type (Google Cloud resource type), such as Compute Engine instance or IAM service account.
All findings grouped into a case belong to the same owner. To ensure
that findings are grouped correctly, including findings with no inherited
Google Cloud tags or Essential Contacts, always configure the
connector Fallback Owner
parameter.
Example: How the grouping mechanism works
In this example, only findings from Google Cloud are used.
The connector ingests four findings with different severities and different values inherited from their respective Google Cloud resources:
Finding 1: Severity: Critical
, Asset Type: Compute
, Project: Project_1
Finding 2: Severity: Critical
, Asset Type: IAM
, Project: Project_2
Finding 3: Severity: High
, Asset Type: Compute
, Project: Project_1
Finding 4: Severity: High
, Asset Type: Compute
, Project: Project_2
Default grouping mechanism
Default settings mean that the findings are grouped according to their respective projects, asset types, and severity property.
In this example, every finding is included in a different case.
Case 1:
- Finding 1: Severity:
Critical
, Asset Type:Compute
, Project:Project_1
- Finding 1: Severity:
Case 2:
- Finding 2: Severity:
Critical
, Asset Type:IAM
, Project:Project_2
- Finding 2: Severity:
Case 3:
- Finding 3: Severity:
High
, Asset Type:Compute
, Project:Project_1
- Finding 3: Severity:
Case 4:
- Finding 4: Severity:
High
, Asset Type:Compute
, Project:Project_2
- Finding 4: Severity:
Custom grouping mechanism
Selecting only the Group by GCP Project checkbox automatically groups findings according to their Google Cloud projects so that a case only contains findings belonging to the same project:
Case 1:
- Finding 1: Severity
Critical
, Asset Type:Compute
, Project:Project_1
- Finding 3: Severity
High
, Asset Type:Compute
, Project:Project_1
- Finding 1: Severity
Case 2:
- Finding 2: Severity
Critical
, Asset Type:IAM
, Project:Project_2
- Finding 4: Severity
High
, Asset Type:Compute
, Project:Project_2
- Finding 2: Severity
Selecting only the Group by Severity checkbox automatically groups findings according to their severities so that a case only contains findings with the same severity level:
Case 1:
- Finding 1: Severity:
Critical
, Asset Type:Compute
, Project:Project_1
- Finding 2: Severity:
Critical
, Asset Type:IAM
, Project:Project_2
- Finding 1: Severity:
Case 2:
- Finding 3: Severity:
High
, Asset Type:Compute
, Project:Project_1
- Finding 4: Severity:
High
, Asset Type:Compute
, Project:Project_2
- Finding 3: Severity:
Selecting only the Group by Asset Type checkbox automatically groups findings according to their asset types (resource types in Google Cloud) so that a case only contains findings belonging to the same resource:
Case 1:
- Finding 1: Severity:
Critical
, Asset Type:Compute
, Project:Project_1
- Finding 3: Severity:
High
, Asset Type:Compute
, Project:Project_1
- Finding 4: Severity:
High
, Asset Type:Compute
, Project:Project_2
- Finding 1: Severity:
Case 2:
- Finding 2: Severity:
Critical
, Asset Type:IAM
, Project:Project_2
- Finding 2: Severity:
Selecting both Group by GCP Project and Group by Severity checkboxes automatically groups findings according to their respective projects and severity levels so that a case only contains findings belonging to the same project and possessing the same severity. In this example, the connector creates four following cases:
Case 1:
- Finding 1: Severity:
Critical
, Asset Type:Compute
, Project:Project_1
- Finding 1: Severity:
Case 2:
- Finding 2: Severity:
Critical
, Resource Type:IAM
, Project:Project_2
- Finding 2: Severity:
Case 3:
- Finding 3: Severity:
High
, Resource Type:Compute
, Project:Project_1
- Finding 3: Severity:
Case 4:
- Finding 4: Severity:
High
, Resource Type:Compute
, Project:Project_2
- Finding 4: Severity:
What's next?
- Learn more about alerts in the Google SecOps documentation.