Mute findings in Security Command Center

This page explains how to reduce the volume of findings that you receive in Security Command Center by muting findings.

Overview

Muting a finding hides it from the default view of your findings in the Google Cloud console. You can manually or programmatically mute findings and create filters to automatically silence existing and future findings based on criteria you specify.

Finding providers in Security Command Center supply broad security assessments of your Google Cloud deployment, but you might find that certain findings are not appropriate or relevant for your organization or projects. A high volume of findings also can make it difficult for your security analysts to effectively identify and remediate the most critical risks. Mute findings saves you time from reviewing or responding to security findings for assets that are isolated or fall within acceptable business parameters.

Mute findings versus allowlists

Muting findings works differently than existing volume management solutions. Security Health Analytics lets you use dedicated security marks to add assets to allowlists, which stops detectors from creating security findings for specific assets. Security Command Center also lets you disable detectors.

However, muting findings has several advantages over allowlists and disabling detectors:

  • You can mute findings without locating their underlying assets.
  • Findings that aren't attached to any resources can be muted.
  • You can create custom filters to fine-tune mute functionality.
  • Muting findings doesn't stop underlying assets from being scanned. Findings are still generated but remain hidden until you decide to view them.

Permissions

To mute findings, you need one of the following Identity and Access Management (IAM) roles at the organization, folder, or project level:

  • View mute rules:
    • Security Center Admin Viewer (roles/securitycenter.adminViewer)
    • Security Center Settings Viewer (roles/securitycenter.settingsViewer)
    • Security Center Mute Configurations Viewer (roles/securitycenter.muteConfigsViewer)
  • View, create, update, and delete mute rules:
    • Security Center Admin (roles/securitycenter.admin)
    • Security Center Admin Editor (roles/securitycenter.adminEditor)
    • Security Center Settings Editor (roles/securitycenter.settingsEditor)
    • Security Center Mute Configurations Editor (roles/securitycenter.muteConfigsEditor)
  • Manually mute findings:
    • Security Center Findings Editor (roles/securitycenter.findingsEditor)

You can also create and grant custom roles with some or all of the following permissions:

  • Mute rule read permissions
    • securitycenter.muteconfigs.get
    • securitycenter.muteconfigs.list
  • Mute rule write permissions
    • securitycenter.muteconfigs.create
    • securitycenter.muteconfigs.update
    • securitycenter.muteconfigs.delete
  • Finding write permissions
    • securitycenter.findings.setMute
    • securitycenter.findings.bulkMuteUpdate

Your ability to mute findings adheres to roles granted at the organization, folder, or project level. You can mute findings in specific folders or projects, and restrict the ability of others to mute findings based on the access they are granted. For example, if you have access to a single project, you can only mute findings in that project. If you have access to a folder, you can mute findings in any subfolder or project inside that folder.

To learn more about Security Command Center roles, see Access control.

Mute findings

You can manually mute individual findings, silence multiple findings at once with bulk mute filters, or create mute rules that automatically suppress future findings based on filters you define.

Findings contain a mute attribute that can be set to MUTED or UNMUTED. When you mute and unmute findings, you change the value of the attribute. For more information, see Mute finding properties.

Muting findings is relevant for many use cases, including the following:

  • Assets within non-production environments where some stricter requirements might not be applicable.
  • Recommendations to use customer-managed encryption keys in projects that don't contain critical data.
  • When granting broad access on a datastore, which intentionally is open to the public and disseminates public information.
  • Findings that aren't relevant to your organization or project based on your company's policies.

Muted findings continue to be logged for audit and compliance purposes, and can be viewed if needed. However, by default, they don't appear in the Google Cloud console. You also can filter muted findings from Pub/Sub notifications and Security Command Center API calls using the finding's mute attribute.

Mute an individual finding

To mute an individual finding, click the tab for the procedure that you want to use.

Console

  1. In the Google Cloud console, go to the Security Command Center Findings page.

    Go to Findings

  2. If necessary, select your Google Cloud project or organization. Project selector

  3. If you don't see the finding that you need to mute in the Findings query results panel, select the category of the finding in the Category section of the Quick filters panel.

  4. Select the checkbox next to the finding that you need to mute. You can select one or more findings.

  5. On the Findings query results action bar, click Mute options, and then select Mute.

    The mute attribute for the selected findings is set to MUTED and the finding is removed from the Findings query results panel.

Alternatively, you can mute a finding from its details panel:

  1. In the Finding query results panel of the Findings page, in the Category column, click the name of an individual finding. The details panel of the finding opens.
  2. Click Take action.
  3. From the Take action menu, select Mute.

    If you select Mute findings like this instead, the Create mute rule page opens where you can create a mute rule for findings of the same type or that include the same Indicator attribute.

gcloud

  1. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

    At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  2. To set a finding's mute state to MUTED, use the set-mute command in the gcloud CLI:

    gcloud scc findings set-mute FINDING_ID \
      --RESOURCE=RESOURCE_ID \
      --source=SOURCE_ID \
      --mute=MUTED
    

    Replace the following:

    • FINDING_ID: the ID for the finding you want to mute

      To retrieve finding IDs, use the Security Command Center API to list findings. The finding ID is the last part of the canonicalName attribute, for example, projects/123456789012/sources/1234567890123456789/findings/5ee30aa342e799e4e1700826de053aa9.

    • RESOURCE: the parent resource (project, folder, or organization), case-sensitive

    • RESOURCE_ID: the resource ID (project ID, folder ID, or organization ID)

    • SOURCE_ID: the source ID

      For instructions on retrieving a source ID, see Getting the source ID.

Go

import (
	"context"
	"fmt"
	"io"

	securitycenter "cloud.google.com/go/securitycenter/apiv1"
	"cloud.google.com/go/securitycenter/apiv1/securitycenterpb"
)

// setMute mutes an individual finding.
// If a finding is already muted, muting it again has no effect.
// Various mute states are: MUTE_UNSPECIFIED/MUTE/UNMUTE.
func setMute(w io.Writer, findingPath string) error {
	// findingPath: The relative resource name of the finding. See:
	// https://cloud.google.com/apis/design/resource_names#relative_resource_name
	// Use any one of the following formats:
	//  - organizations/{organization_id}/sources/{source_id}/finding/{finding_id}
	//  - folders/{folder_id}/sources/{source_id}/finding/{finding_id}
	//  - projects/{project_id}/sources/{source_id}/finding/{finding_id}
	// findingPath := fmt.Sprintf("projects/%s/sources/%s/finding/%s", "your-google-cloud-project-id", "source", "finding-id")
	ctx := context.Background()
	client, err := securitycenter.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("securitycenter.NewClient: %w", err)
	}
	defer client.Close()

	req := &securitycenterpb.SetMuteRequest{
		Name: findingPath,
		Mute: securitycenterpb.Finding_MUTED}

	finding, err := client.SetMute(ctx, req)
	if err != nil {
		return fmt.Errorf("failed to set the specified mute value: %w", err)
	}
	fmt.Fprintf(w, "Mute value for the finding: %s is %s", finding.Name, finding.Mute)
	return nil
}

Java


import com.google.cloud.securitycenter.v1.Finding;
import com.google.cloud.securitycenter.v1.Finding.Mute;
import com.google.cloud.securitycenter.v1.SecurityCenterClient;
import com.google.cloud.securitycenter.v1.SetMuteRequest;
import java.io.IOException;

public class SetMuteFinding {

  public static void main(String[] args) {
    // TODO: Replace the variables within {}

    // findingPath: The relative resource name of the finding. See:
    // https://cloud.google.com/apis/design/resource_names#relative_resource_name
    // Use any one of the following formats:
    //  - organizations/{organization_id}/sources/{source_id}/finding/{finding_id}
    //  - folders/{folder_id}/sources/{source_id}/finding/{finding_id}
    //  - projects/{project_id}/sources/{source_id}/finding/{finding_id}
    String findingPath = "{path-to-the-finding}";
    setMute(findingPath);
  }

  // Mute an individual finding.
  // If a finding is already muted, muting it again has no effect.
  // Various mute states are: MUTE_UNSPECIFIED/MUTE/UNMUTE.
  public static void setMute(String findingPath) {
    // Initialize client that will be used to send requests. This client only needs to be created
    // once, and can be reused for multiple requests. After completing all of your requests, call
    // the "close" method on the client to safely clean up any remaining background resources.
    try (SecurityCenterClient client = SecurityCenterClient.create()) {

      SetMuteRequest setMuteRequest =
          SetMuteRequest.newBuilder().setName(findingPath).setMute(Mute.MUTED).build();

      Finding finding = client.setMute(setMuteRequest);
      System.out.println(
          "Mute value for the finding " + finding.getName() + " is: " + finding.getMute());
    } catch (IOException e) {
      System.out.println("Failed to set the specified mute value. \n Exception: " + e);
    }
  }
}

Python

def set_mute_finding(finding_path: str) -> None:
    """
      Mute an individual finding.
      If a finding is already muted, muting it again has no effect.
      Various mute states are: MUTE_UNSPECIFIED/MUTE/UNMUTE.
    Args:
        finding_path: The relative resource name of the finding. See:
        https://cloud.google.com/apis/design/resource_names#relative_resource_name
        Use any one of the following formats:
        - organizations/{organization_id}/sources/{source_id}/finding/{finding_id},
        - folders/{folder_id}/sources/{source_id}/finding/{finding_id},
        - projects/{project_id}/sources/{source_id}/finding/{finding_id}.
    """
    from google.cloud import securitycenter

    client = securitycenter.SecurityCenterClient()

    request = securitycenter.SetMuteRequest()
    request.name = finding_path
    request.mute = securitycenter.Finding.Mute.MUTED

    finding = client.set_mute(request)
    print(f"Mute value for the finding: {finding.mute.name}")

REST API

In the API, use the setMute method to execute the following request. The request body is an enum that indicates the desired mute state.

POST https://securitycenter.googleapis.com/v1/RESOURCE/RESOURCE_ID/sources/SOURCE_ID/findings/FINDING_ID:setMute

{
  "mute": "MUTED"
}

Replace the following:

  • RESOURCE: the parent resource (organizations, folders, or projects)
  • RESOURCE_ID: the numeric ID for the selected resource
  • SOURCE_ID: the numeric ID for the source

    For instructions on retrieving a source ID, see Getting the source ID.

  • FINDING_ID: the ID for the finding you want to mute

    To retrieve finding IDs, use the Security Command Center API to list findings. The finding ID is the last part of the canonicalName attribute, for example, projects/123456789012/sources/1234567890123456789/findings/5ee30aa342e799e4e1700826de053aa9.

After you mute a finding, its mute attribute is set to MUTED.

Muting a finding doesn't affect whether it is active or not. If an active finding is muted, the state attribute remains unchanged: state="ACTIVE". The finding is hidden, but remains active until the underlying vulnerability, misconfiguration, or threat is resolved.

For more information about mute rules, see Create mute rules.

View muted findings in the Google Cloud console

You can view muted findings in the Google Cloud console by editing the finding query to select findings that include the property value mute="MUTED".

For example, the following findings query displays only active findings that are muted:

state="ACTIVE"
AND mute="MUTED"

To display all active findings, both muted and unmuted, omit the mute attribute from the query entirely:

state="ACTIVE"

By default, the finding query in the Google Cloud console displays only findings that are not muted.

For more information about editing finding queries, see Create or edit a findings query in the dashboard.

Unmute individual findings

To unmute an individual finding, click the tab for the procedure that you want to use.

Console

  1. In the Google Cloud console, go to the Security Command Center Findings page.

    Go to Findings

  2. If necessary, select your Google Cloud project or organization. Project selector

    The Findings page opens with the default query displayed in the Query preview section. The default query filters out muted findings, so you need to edit the query before muted findings appear in the Findings query results panel.

  3. To the right of the Query preview section, click Edit query to open the Query editor.

  4. In the Query editor field, replace the existing mute statement with the following:

    mute="MUTED"
  5. Click Apply. The findings in the Findings query results panel are updated to include only muted findings.

  6. If necessary, filter out other muted findings. For example, in the Quick filters panel under Category, select the name of the finding that you need to unmute to filter out all other categories of finding.

  7. Select the checkbox next to the finding that you want to unmute. You can select one or more findings.

  8. On the Findings query results action bar, click Mute Options, and then select Unmute.

    The mute attribute for the selected findings is set to UNMUTED and the finding is removed from the Findings query results panel.

Alternatively, you can unmute a finding from its details panel:

  1. In the Finding query results panel of the Findings page, in the Category column, click the name of an individual finding. The details panel of the finding opens.
  2. Click Take action.
  3. From the Take action menu, select Unmute.

gcloud

  1. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

    At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  2. To set a finding's mute state to UNMUTED, use the set-mute command in the gcloud CLI:

    gcloud scc findings set-mute FINDING_ID \
      --RESOURCE=RESOURCE_ID \
      --source=SOURCE_ID \
      --mute=UNMUTED
    

    Replace the following:

    • FINDING_ID: the ID for the finding you want to mute

      To retrieve finding IDs, use the Security Command Center API to list findings. The finding ID is the last part of the canonicalName attribute, for example, projects/123456789012/sources/1234567890123456789/findings/5ee30aa342e799e4e1700826de053aa9.

    • RESOURCE: the parent resource (project, folder, or organization ), case-sensitive

    • RESOURCE_ID: the resource ID (project ID, folder ID, or organization ID)

    • SOURCE_ID: the source ID

      For instructions on retrieving a source ID, see Getting the source ID

Go


import (
	"context"
	"fmt"
	"io"

	securitycenter "cloud.google.com/go/securitycenter/apiv1"
	"cloud.google.com/go/securitycenter/apiv1/securitycenterpb"
)

// setUnmute unmutes an individual finding.
// Unmuting a finding that isn't muted has no effect.
// Various mute states are: MUTE_UNSPECIFIED/MUTE/UNMUTE.
func setUnmute(w io.Writer, findingPath string) error {
	// findingPath: The relative resource name of the finding. See:
	// https://cloud.google.com/apis/design/resource_names#relative_resource_name
	// Use any one of the following formats:
	//  - organizations/{organization_id}/sources/{source_id}/finding/{finding_id}
	//  - folders/{folder_id}/sources/{source_id}/finding/{finding_id}
	//  - projects/{project_id}/sources/{source_id}/finding/{finding_id}
	// findingPath := fmt.Sprintf("projects/%s/sources/%s/finding/%s", "your-google-cloud-project-id", "source", "finding-id")
	ctx := context.Background()
	client, err := securitycenter.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("securitycenter.NewClient: %w", err)
	}
	defer client.Close()

	req := &securitycenterpb.SetMuteRequest{
		Name: findingPath,
		Mute: securitycenterpb.Finding_UNMUTED}

	finding, err := client.SetMute(ctx, req)
	if err != nil {
		return fmt.Errorf("failed to set the specified mute value: %w", err)
	}
	fmt.Fprintf(w, "Mute value for the finding: %s is %s", finding.Name, finding.Mute)
	return nil
}

Java


import com.google.cloud.securitycenter.v1.Finding;
import com.google.cloud.securitycenter.v1.Finding.Mute;
import com.google.cloud.securitycenter.v1.SecurityCenterClient;
import com.google.cloud.securitycenter.v1.SetMuteRequest;
import java.io.IOException;

public class SetUnmuteFinding {

  public static void main(String[] args) {
    // TODO: Replace the variables within {}

    // findingPath: The relative resource name of the finding. See:
    // https://cloud.google.com/apis/design/resource_names#relative_resource_name
    // Use any one of the following formats:
    //  - organizations/{organization_id}/sources/{source_id}/finding/{finding_id}
    //  - folders/{folder_id}/sources/{source_id}/finding/{finding_id}
    //  - projects/{project_id}/sources/{source_id}/finding/{finding_id}
    String findingPath = "{path-to-the-finding}";
    setUnmute(findingPath);
  }

  // Unmute an individual finding.
  // Unmuting a finding that isn't muted has no effect.
  // Various mute states are: MUTE_UNSPECIFIED/MUTE/UNMUTE.
  public static void setUnmute(String findingPath) {
    // Initialize client that will be used to send requests. This client only needs to be created
    // once, and can be reused for multiple requests. After completing all of your requests, call
    // the "close" method on the client to safely clean up any remaining background resources.
    try (SecurityCenterClient client = SecurityCenterClient.create()) {

      SetMuteRequest setMuteRequest =
          SetMuteRequest.newBuilder().setName(findingPath).setMute(Mute.UNMUTED).build();

      Finding finding = client.setMute(setMuteRequest);
      System.out.println(
          "Mute value for the finding " + finding.getName() + " is: " + finding.getMute());
    } catch (IOException e) {
      System.out.println("Failed to set the specified mute value. \n Exception: " + e);
    }
  }
}

Python

def set_unmute_finding(finding_path: str) -> None:
    """
      Unmute an individual finding.
      Unmuting a finding that isn't muted has no effect.
      Various mute states are: MUTE_UNSPECIFIED/MUTE/UNMUTE.
    Args:
        finding_path: The relative resource name of the finding. See:
        https://cloud.google.com/apis/design/resource_names#relative_resource_name
        Use any one of the following formats:
        - organizations/{organization_id}/sources/{source_id}/finding/{finding_id},
        - folders/{folder_id}/sources/{source_id}/finding/{finding_id},
        - projects/{project_id}/sources/{source_id}/finding/{finding_id}.
    """
    from google.cloud import securitycenter

    client = securitycenter.SecurityCenterClient()

    request = securitycenter.SetMuteRequest()
    request.name = finding_path
    request.mute = securitycenter.Finding.Mute.UNMUTED

    finding = client.set_mute(request)
    print(f"Mute value for the finding: {finding.mute.name}")

REST API

In the API, use the setMute method to execute the following request. The request body is an enum that indicates the desired mute state.

POST https://securitycenter.googleapis.com/v1/RESOURCE/RESOURCE_ID/sources/SOURCE_ID/findings/FINDING_ID:setMute

{
  "mute": "UNMUTED"
}

Replace the following:

  • RESOURCE: the parent resource (organizations, folders, or projects)
  • RESOURCE_ID: the numeric ID for the selected resource
  • SOURCE_ID: the numeric ID for the source

    For instructions on retrieving a source ID, see Getting the source ID

  • FINDING_ID: the ID for the finding you want to mute.

    To retrieve finding IDs, use the Security Command Center API to list findings. The finding ID is the last part of the canonicalName attribute, for example, projects/123456789012/sources/1234567890123456789/findings/5ee30aa342e799e4e1700826de053aa9.

Selected findings are no longer hidden, and the mute attribute for the findings is set to UNMUTED.

Unmuted findings override mute rules

If a user unmutes findings, they remain unmuted even if existing mute rules still match the findings. In effect, unmute actions by users override mute rules.

Unmuted findings are muted again only if a user manually mutes the findings or creates a new matching mute rule in the Google Cloud console. Mute rules created with the gcloud CLI or Security Command Center API won't affect findings unmuted by users.

Bulk mute findings

You can use the Security Command Center API to bulk mute existing findings based on filters you specify. If you also want to mute similar future findings, use the same filters to create mute rules.

Bulk mute filters don't support all finding properties. For a list of unsupported properties, see Unsupported finding properties for mute rules.

To bulk mute findings, perform the following steps, or run any of the code samples:

Console

In the Google Cloud console, you can only bulk mute findings by creating mute rules. In the Google Cloud console, creating mute rules silences existing and future findings.

gcloud

  1. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

    At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  2. To bulk mute findings, run the gcloud scc findings bulk-mute command:

    gcloud scc findings bulk-mute \
      --RESOURCE=RESOURCE_ID \
      --filter="FILTER"
    

    Replace the following:

    • RESOURCE: the parent resource for your mute rule (organization, folder, or project)
    • RESOURCE_ID: the numeric ID for the selected resource
    • FILTER: the expression you define to filter findings

      For example, to mute all existing low-severity OPEN_FIREWALL and PUBLIC_IP_ADDRESS findings in the internal-test project, your filter can be "category=\"OPEN_FIREWALL\" OR category=\"PUBLIC_IP_ADDRESS\" AND severity=\"LOW\" AND resource.project_display_name=\"internal-test\"".

Go


import (
	"context"
	"fmt"
	"io"

	securitycenter "cloud.google.com/go/securitycenter/apiv1"
	"cloud.google.com/go/securitycenter/apiv1/securitycenterpb"
)

// bulkMute kicks off a long-running operation (LRO) to bulk mute findings for a parent based on a filter.
// The parent can be either an organization, folder, or project. The findings
// matched by the filter will be muted after the LRO is done.
func bulkMute(w io.Writer, parent string, muteRule string) error {
	// parent: Use any one of the following options:
	//             - organizations/{organization_id}
	//             - folders/{folder_id}
	//             - projects/{project_id}
	// parent := fmt.Sprintf("projects/%s", "your-google-cloud-project-id")
	// muteRule: Expression that identifies findings that should be muted.
	// To create mute rules, see:
	// https://cloud.google.com/security-command-center/docs/how-to-mute-findings#create_mute_rules
	// muteRule := "filter-condition"
	ctx := context.Background()
	client, err := securitycenter.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("securitycenter.NewClient: %w", err)
	}
	defer client.Close()

	req := &securitycenterpb.BulkMuteFindingsRequest{
		Parent: parent,
		Filter: muteRule,
	}

	op, err := client.BulkMuteFindings(ctx, req)
	if err != nil {
		return fmt.Errorf("failed to bulk mute findings: %w", err)
	}
	response, err := op.Wait(ctx)
	if err != nil {
		return fmt.Errorf("failed to bulk mute findings: %w", err)
	}
	fmt.Fprintf(w, "Bulk mute findings completed successfully! %s", response)
	return nil
}

Java


import com.google.cloud.securitycenter.v1.BulkMuteFindingsRequest;
import com.google.cloud.securitycenter.v1.BulkMuteFindingsResponse;
import com.google.cloud.securitycenter.v1.SecurityCenterClient;
import java.io.IOException;
import java.util.concurrent.ExecutionException;

public class BulkMuteFindings {

  public static void main(String[] args) {
    // TODO: Replace the variables within {}

    // parentPath: Use any one of the following options:
    //             - organizations/{organization_id}
    //             - folders/{folder_id}
    //             - projects/{project_id}
    String parentPath = String.format("projects/%s", "your-google-cloud-project-id");

    // muteRule: Expression that identifies findings that should be muted.
    // eg: "resource.project_display_name=\"PROJECT_ID\""
    String muteRule = "{filter-condition}";

    bulkMute(parentPath, muteRule);
  }

  // Kicks off a long-running operation (LRO) to bulk mute findings for a parent based on a filter.
  // The parent can be either an organization, folder, or project. The findings
  // matched by the filter will be muted after the LRO is done.
  public static void bulkMute(String parentPath, String muteRule) {
    // Initialize client that will be used to send requests. This client only needs to be created
    // once, and can be reused for multiple requests. After completing all of your requests, call
    // the "close" method on the client to safely clean up any remaining background resources.
    try (SecurityCenterClient client = SecurityCenterClient.create()) {

      BulkMuteFindingsRequest bulkMuteFindingsRequest =
          BulkMuteFindingsRequest.newBuilder()
              .setParent(parentPath)
              // To create mute rules, see:
              // https://cloud.google.com/security-command-center/docs/how-to-mute-findings#create_mute_rules
              .setFilter(muteRule)
              .build();

      // ExecutionException is thrown if the below call fails.
      BulkMuteFindingsResponse response =
          client.bulkMuteFindingsAsync(bulkMuteFindingsRequest).get();
      System.out.println("Bulk mute findings completed successfully! " + response);
    } catch (IOException | InterruptedException | ExecutionException e) {
      System.out.println("Bulk mute findings failed! \n Exception: " + e);
    }
  }
}

Python

def bulk_mute_findings(parent_path: str, mute_rule: str) -> None:
    """
      Kicks off a long-running operation (LRO) to bulk mute findings for a parent based on a filter.
      The parent can be either an organization, folder, or project. The findings
      matched by the filter will be muted after the LRO is done.
    Args:
        parent_path: use any one of the following options:
                     - organizations/{organization}
                     - folders/{folder}
                     - projects/{project}
        mute_rule: Expression that identifies findings that should be updated.
    """
    from google.cloud import securitycenter

    client = securitycenter.SecurityCenterClient()

    request = securitycenter.BulkMuteFindingsRequest()
    request.parent = parent_path
    # To create mute rules, see:
    # https://cloud.google.com/security-command-center/docs/how-to-mute-findings#create_mute_rules
    request.filter = mute_rule

    response = client.bulk_mute_findings(request)
    print(f"Bulk mute findings completed successfully! : {response}")

REST API

In the API, use the bulkMute method to execute the following request. The request body contains the expression used to filter findings.

POST https://securitycenter.googleapis.com/v1/RESOURCE/RESOURCE_ID/findings:bulkMute -d

  {
    "filter": "FILTER"
  }

Replace the following:

  • RESOURCE: the parent resource (organizations, folders, or projects)
  • RESOURCE_ID: the numeric ID for the selected resource
  • FILTER: the expression you define to filter findings

    For example, to mute all existing low-severity OPEN_FIREWALL and PUBLIC_IP_ADDRESS findings in the internal-test project, your filter can be "category=\"OPEN_FIREWALL\" OR category=\"PUBLIC_IP_ADDRESS\" AND severity=\"LOW\" AND resource.project_display_name=\"internal-test\"".

All existing findings in the resource you select, and which exactly match the filter, are hidden. The mute attribute for the findings is set to MUTED.

Muting findings doesn't change their state. If active findings are muted, they are hidden but remain active until the underlying vulnerabilities, misconfigurations, or threats are resolved.

Create mute rules

Mute rules are Security Command Center configurations that use filters you create to automatically mute future findings based on criteria you specify. New findings that match mute filters are automatically muted on an ongoing basis. If you also want to mute similar existing findings, use the same filters to bulk mute findings.

For more information on creating filters, see Filtering notifications.

Mute rules don't support all finding properties. For a list of properties that mute rules do not support, see Unsupported finding properties for mute rules.

Your organization can create a maximum of 1,000 mute rules.

To create a mute rule, perform the following steps, or run any of the code samples:

Console

  1. In the Google Cloud console, go to the Security Command Center Findings page.

    Go to Findings

  2. If necessary, select your Google Cloud project or organization. Project selector

  3. Click Mute options, and then select Create mute rule.

  4. Enter a Mute rule ID. This value is required.

  5. Enter a Mute rule description that provides context for why findings are muted. This value is optional but recommended.

  6. Parent resource indicates the scope at which the mute rule will be created and applied.

  7. In the Findings query field, build your query statements by clicking Add filter. Alternatively, you can type in the query statements manually.

    The Select filter dialog lets you choose supported finding attributes and values. Query filter dialog

    1. Select a finding attribute or type its name in the Search finding attributes box. A list of the available sub-attributes displays.
    2. Select a sub-attribute. A selection field for your evaluation options displays above a list of the sub-attribute values found in the findings in the Findings query results panel.
    3. Select an evaluation option for the values of the selected sub-attribute. For more information about the evaluation options and the operators and functions that they use, see Query operators in the Add filters menu.
    4. Select Apply.

      The dialog closes and your query is updated.

    5. Repeat until the findings query contains all the attributes you want.
  8. Review the filter for accuracy. To make changes, delete or add properties and filter values as needed.

  9. Click Preview matching findings.

    A table displays findings that match your query.

  10. Click Save.

gcloud

  1. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

    At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  2. To create mute rules, run the gcloud scc muteconfigs create command:

    gcloud scc muteconfigs create RULE_NAME \
      --RESOURCE=RESOURCE_ID \
      --description=RULE_DESCRIPTION \
      --filter=FILTER
    

    Replace the following:

    • RULE_NAME: the name of the mute rule (between 1 and 63 characters)
    • RESOURCE: the parent resource for your mute rule (organization, folder, or project)
    • RESOURCE_ID: the numeric ID for the selected resource
    • RULE_DESCRIPTION: a description of the mute rule (max: 1,024 characters)
    • FILTER: the expression you define to filter findings

      For example, to mute OPEN_FIREWALL findings, your filter can be FILTER="category=\"OPEN_FIREWALL\"".

    The response includes the mute config ID, which you can use to view, update, and delete mute rules, as described in Manage mute rules.

Go


import (
	"context"
	"fmt"
	"io"

	securitycenter "cloud.google.com/go/securitycenter/apiv1"
	"cloud.google.com/go/securitycenter/apiv1/securitycenterpb"
)

// createMuteRule: Creates a mute configuration under a given scope that will mute
// all new findings that match a given filter.
// Existing findings will not be muted.
func createMuteRule(w io.Writer, parent string, muteConfigId string) error {
	// parent: Use any one of the following options:
	//             - organizations/{organization_id}
	//             - folders/{folder_id}
	//             - projects/{project_id}
	// parent := fmt.Sprintf("projects/%s", "your-google-cloud-project-id")
	// muteConfigId: Set a random id; max of 63 chars.
	// muteConfigId := "random-mute-id-" + uuid.New().String()
	ctx := context.Background()
	client, err := securitycenter.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("securitycenter.NewClient: %w", err)
	}
	defer client.Close()

	muteConfig := &securitycenterpb.MuteConfig{
		Description: "Mute low-medium IAM grants excluding 'compute' ",
		// Set mute rule(s).
		// To construct mute rules and for supported properties, see:
		// https://cloud.google.com/security-command-center/docs/how-to-mute-findings#create_mute_rules
		Filter: "severity=\"LOW\" OR severity=\"MEDIUM\" AND " +
			"category=\"Persistence: IAM Anomalous Grant\" AND " +
			"-resource.type:\"compute\"",
	}

	req := &securitycenterpb.CreateMuteConfigRequest{
		Parent:       parent,
		MuteConfigId: muteConfigId,
		MuteConfig:   muteConfig,
	}

	response, err := client.CreateMuteConfig(ctx, req)
	if err != nil {
		return fmt.Errorf("failed to create mute rule: %w", err)
	}
	fmt.Fprintf(w, "Mute rule created successfully: %s", response.Name)
	return nil
}

Java


import com.google.cloud.securitycenter.v1.CreateMuteConfigRequest;
import com.google.cloud.securitycenter.v1.MuteConfig;
import com.google.cloud.securitycenter.v1.SecurityCenterClient;
import java.io.IOException;
import java.util.UUID;

public class CreateMuteRule {

  public static void main(String[] args) {
    // TODO: Replace the variables within {}

    // parentPath: Use any one of the following options:
    //             - organizations/{organization_id}
    //             - folders/{folder_id}
    //             - projects/{project_id}
    String parentPath = String.format("projects/%s", "your-google-cloud-project-id");

    // muteConfigId: Set a random id; max of 63 chars.
    String muteConfigId = "random-mute-id-" + UUID.randomUUID();
    createMuteRule(parentPath, muteConfigId);
  }

  // Creates a mute configuration under a given scope that will mute
  // all new findings that match a given filter.
  // Existing findings will not be muted.
  public static void createMuteRule(String parentPath, String muteConfigId) {
    // Initialize client that will be used to send requests. This client only needs to be created
    // once, and can be reused for multiple requests. After completing all of your requests, call
    // the "close" method on the client to safely clean up any remaining background resources.
    try (SecurityCenterClient client = SecurityCenterClient.create()) {

      MuteConfig muteConfig =
          MuteConfig.newBuilder()
              .setDescription("Mute low-medium IAM grants excluding 'compute' ")
              // Set mute rule(s).
              // To construct mute rules and for supported properties, see:
              // https://cloud.google.com/security-command-center/docs/how-to-mute-findings#create_mute_rules
              .setFilter(
                  "severity=\"LOW\" OR severity=\"MEDIUM\" AND "
                      + "category=\"Persistence: IAM Anomalous Grant\" AND "
                      + "-resource.type:\"compute\"")
              .build();

      CreateMuteConfigRequest request =
          CreateMuteConfigRequest.newBuilder()
              .setParent(parentPath)
              .setMuteConfigId(muteConfigId)
              .setMuteConfig(muteConfig)
              .build();

      // ExecutionException is thrown if the below call fails.
      MuteConfig response = client.createMuteConfig(request);
      System.out.println("Mute rule created successfully: " + response.getName());
    } catch (IOException e) {
      System.out.println("Mute rule creation failed! \n Exception: " + e);
    }
  }
}

Python



def create_mute_rule(parent_path: str, mute_config_id: str) -> None:
    """
    Creates a mute configuration under a given scope that will mute
    all new findings that match a given filter.
    Existing findings will NOT BE muted.
    Args:
        parent_path: use any one of the following options:
                     - organizations/{organization_id}
                     - folders/{folder_id}
                     - projects/{project_id}
        mute_config_id: Set a unique id; max of 63 chars.
    """

    from google.cloud import securitycenter

    client = securitycenter.SecurityCenterClient()

    mute_config = securitycenter.MuteConfig()
    mute_config.description = "Mute low-medium IAM grants excluding 'compute' "
    # Set mute rule(s).
    # To construct mute rules and for supported properties, see:
    # https://cloud.google.com/security-command-center/docs/how-to-mute-findings#create_mute_rules
    mute_config.filter = (
        'severity="LOW" OR severity="MEDIUM" AND '
        'category="Persistence: IAM Anomalous Grant" AND '
        '-resource.type:"compute"'
    )

    request = securitycenter.CreateMuteConfigRequest()
    request.parent = parent_path
    request.mute_config_id = mute_config_id
    request.mute_config = mute_config

    mute_config = client.create_mute_config(request=request)
    print(f"Mute rule created successfully: {mute_config.name}")

REST API

In the API, use the muteConfigs create method to execute the following request. The request body is an instance of MuteConfig.

POST https://securitycenter.googleapis.com/v1/RESOURCE/RESOURCE_ID/muteConfigs?muteConfigId=MUTE_RULE_ID -d

  {
    "description": "RULE_DESCRIPTION",
    "filter": FILTER
  }

Replace the following:

  • RESOURCE: the parent resource for your mute rule (organizations, folders, or projects)
  • RESOURCE_ID: the numeric ID for the selected resource
  • MUTE_RULE_ID: the name of the mute rule (between 1 and 63 characters)
  • RULE_DESCRIPTION: a description of the mute rule (max: 1,024 characters)
  • FILTER: the expression you define to filter findings

    For example, to mute OPEN_FIREWALL findings, your filter can be "category=\"OPEN_FIREWALL\"".

The response includes the mute config ID, which you can use to view, update, and delete mute rules, as described in Manage mute rules.

New findings that exactly match the filter are hidden, and the mute attribute for the findings is set to MUTED.

Unsupported finding properties for mute rules

Mute rules don't support all finding properties in filters. The following properties are not supported in mute rule filters.

  • createTime
  • eventTime
  • mute
  • mute_initiator
  • mute_update_time
  • name
  • parent
  • security_marks
  • source_properties
  • state

Mute finding properties

This section lists mute finding properties, and describes how they are impacted by mute operations:

  • mute: set to UNDEFINED when findings are created and changes in the following scenarios:
    • MUTED: a finding is muted manually or by a mute rule.
    • UNMUTED: a user unmutes a finding.
  • mute_update_time: the time that a finding gets muted or unmuted
  • mute_initiator: the identifier for the principal or mute rule that muted a finding

Stop notifications for muted findings

If you enable finding notifications, muted findings that match your notification filters still trigger notifications in Pub/Sub.

To stop notifications for muted findings, use the mute attribute to exclude muted findings in your NotificationConfig filter. For example, the following filter only sends notifications for active findings that are not muted or where the mute attribute hasn't been set:

FILTER="state=\"ACTIVE\" AND -mute=\"MUTED\""

Manage mute rules

You can view, update, and delete mute rules based on the scope of your IAM roles. With organization-level roles, you see mute rules for all folders and projects within the organization. If you have folder-level roles, you can access and manage mute rules for specific folders and all subfolders and projects within those folders. Project-level roles let you manage mute rules in specific projects.

Security Command Center Premium supports granting roles at the organization, folder, and project levels. Security Command Center Standard only supports granting roles at the organization level. For more information, see Access control.

List mute rules

To see a list of mute rules, for your organizations, folders, or projects—depending on the scope of your IAM roles—perform the following steps, or run any of the code samples:

Console

  1. In the Google Cloud console, go to the Mute rules tab in the Security Command Center Settings page.

    Go to Mute rules

  2. If necessary, select your Google Cloud project or organization. Project selector
  3. In the Mute rules section, you see details for active mute rules, including the following:
    • Name: mute rule ID
    • Parent resource: the resource where the mute rule lives
    • Description: the mute rule description, if available
    • Last updated by: the principal who last updated the rule
    • Last updated: the date and time the rule was last updated

gcloud

  1. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

    At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  2. To list mute rules, run the gcloud scc muteconfigs list command:

      gcloud scc muteconfigs list --RESOURCE=RESOURCE_ID
    

    Replace the following:

    • RESOURCE: the parent resource for your mute rule (organization, folder, or project)
    • RESOURCE_ID: the numeric ID for the selected resource

Go

import (
	"context"
	"fmt"
	"io"

	securitycenter "cloud.google.com/go/securitycenter/apiv1"
	"cloud.google.com/go/securitycenter/apiv1/securitycenterpb"
	"google.golang.org/api/iterator"
)

// listMuteRules lists mute configs at the organization level will return all the configs
// at the org, folder, and project levels.
// Similarly, listing configs at folder level will list all the configs
// at the folder and project levels.
func listMuteRules(w io.Writer, parent string) error {
	// Use any one of the following resource paths to list mute configurations:
	//         - organizations/{organization_id}
	//         - folders/{folder_id}
	//         - projects/{project_id}
	// parent := fmt.Sprintf("projects/%s", "your-google-cloud-project-id")
	ctx := context.Background()
	client, err := securitycenter.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("securitycenter.NewClient: %w", err)
	}
	defer client.Close()

	req := &securitycenterpb.ListMuteConfigsRequest{Parent: parent}

	// List all mute configs present in the resource.
	it := client.ListMuteConfigs(ctx, req)
	for {
		muteconfig, err := it.Next()
		if err == iterator.Done {
			break
		}
		if err != nil {
			return fmt.Errorf("it.Next: %w", err)
		}
		fmt.Fprintf(w, "Muteconfig Name: %s, ", muteconfig.Name)
	}
	return nil
}

Java


import com.google.cloud.securitycenter.v1.ListMuteConfigsRequest;
import com.google.cloud.securitycenter.v1.MuteConfig;
import com.google.cloud.securitycenter.v1.SecurityCenterClient;
import java.io.IOException;

public class ListMuteRules {

  public static void main(String[] args) {
    // TODO: Replace variables enclosed within {}

    // parent: Use any one of the following resource paths to list mute configurations:
    //         - organizations/{organization_id}
    //         - folders/{folder_id}
    //         - projects/{project_id}
    String parentPath = String.format("projects/%s", "your-google-cloud-project-id");
    listMuteRules(parentPath);
  }

  // Listing mute configs at the organization level will return all the configs
  // at the org, folder, and project levels.
  // Similarly, listing configs at folder level will list all the configs
  // at the folder and project levels.
  public static void listMuteRules(String parent) {
    // Initialize client that will be used to send requests. This client only needs to be created
    // once, and can be reused for multiple requests. After completing all of your requests, call
    // the "close" method on the client to safely clean up any remaining background resources.
    try (SecurityCenterClient client = SecurityCenterClient.create()) {

      ListMuteConfigsRequest listMuteConfigsRequest =
          ListMuteConfigsRequest.newBuilder().setParent(parent).build();

      // List all mute configs present in the resource.
      for (MuteConfig muteConfig : client.listMuteConfigs(listMuteConfigsRequest).iterateAll()) {
        System.out.println(muteConfig.getName());
      }
    } catch (IOException e) {
      System.out.println("Listing Mute rule failed! \n Exception: " + e);
    }
  }
}

Python

def list_mute_rules(parent: str) -> None:
    """
    Listing mute configs at organization level will return all the configs
    at the org, folder and project levels.
    Similarly, listing configs at folder level will list all the configs
    at the folder and project levels.
    Args:
        parent: Use any one of the following resource paths to list mute configurations:
                - organizations/{organization_id}
                - folders/{folder_id}
                - projects/{project_id}
    """
    from google.cloud import securitycenter

    client = securitycenter.SecurityCenterClient()

    request = securitycenter.ListMuteConfigsRequest()
    request.parent = parent

    # List all Mute Configs present in the resource.
    for mute_config in client.list_mute_configs(request):
        print(mute_config.name)

REST API

In the API, use the muteConfigs list method to make the following request. The request body is empty.

GET https://securitycenter.googleapis.com/v1/RESOURCE/RESOURCE_ID/muteConfigs

Replace the following:

  • RESOURCE: the parent resource for your mute rule (organizations, folders, or projects)
  • RESOURCE_ID: the numeric ID for the selected resource

The response includes the names, descriptions, and mute config IDs for your mute rules.

View mute rules

Console

  1. In the Google Cloud console, go to the Mute rules tab in the Security Command Center Settings page.

    Go to Mute rules

  2. If necessary, select your Google Cloud project or organization. Project selector
  3. In the Mute rules section, you see a list of mute rules.
  4. Click the name of the rule you want to view.

    A page opens with the mute rule's configuration.

gcloud

  1. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

    At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  2. To view mute rules, run the gcloud scc muteconfigs get command:

      gcloud scc muteconfigs get MUTE_CONFIG_ID \
        --RESOURCE=RESOURCE_ID
    

    Replace the following:

    • MUTE_CONFIG_ID: the ID for the mute config
    • RESOURCE: the parent resource for your mute rule (organization, folder, or project)
    • RESOURCE_ID: the numeric ID for the selected resource

Go

import (
	"context"
	"fmt"
	"io"

	securitycenter "cloud.google.com/go/securitycenter/apiv1"
	"cloud.google.com/go/securitycenter/apiv1/securitycenterpb"
)

// getMuteRule retrieves a mute configuration given its resource name.
func getMuteRule(w io.Writer, parent string, muteConfigId string) error {
	// Use any one of the following resource paths to get mute configuration:
	//         - organizations/{organization_id}
	//         - folders/{folder_id}
	//         - projects/{project_id}
	// parent := fmt.Sprintf("projects/%s", "your-google-cloud-project-id")
	//
	// Name of the mute config to retrieve.
	// muteConfigId := "mute-config-id"
	ctx := context.Background()
	client, err := securitycenter.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("securitycenter.NewClient: %w", err)
	}
	defer client.Close()

	req := &securitycenterpb.GetMuteConfigRequest{
		Name: fmt.Sprintf("%s/muteConfigs/%s", parent, muteConfigId),
	}

	muteconfig, err := client.GetMuteConfig(ctx, req)
	if err != nil {
		return fmt.Errorf("Failed to retrieve Muteconfig: %w", err)
	}
	fmt.Fprintf(w, "Muteconfig Name: %s ", muteconfig.Name)
	return nil
}

Java


import com.google.cloud.securitycenter.v1.MuteConfig;
import com.google.cloud.securitycenter.v1.MuteConfigName;
import com.google.cloud.securitycenter.v1.SecurityCenterClient;
import java.io.IOException;

public class GetMuteRule {

  public static void main(String[] args) {
    // TODO(Developer): Replace the following variables

    // parentPath: Use any one of the following options:
    //             - organizations/{organization_id}
    //             - folders/{folder_id}
    //             - projects/{project_id}
    String parentPath = String.format("projects/%s", "your-google-cloud-project-id");

    // muteConfigId: Name of the mute config to retrieve.
    String muteConfigId = "mute-config-id";

    getMuteRule(parentPath, muteConfigId);
  }

  // Retrieves a mute configuration given its resource name.
  public static void getMuteRule(String projectId, String muteConfigId) {
    // Initialize client that will be used to send requests. This client only needs to be created
    // once, and can be reused for multiple requests. After completing all of your requests, call
    // the "close" method on the client to safely clean up any remaining background resources.
    try (SecurityCenterClient client = SecurityCenterClient.create()) {
      // Use appropriate MuteConfigName methods depending on the type of parent.
      // (org -> MuteConfigName.ofOrganizationMuteConfigName()
      // folder -> MuteConfigName.ofFolderMuteConfigName()
      // project -> MuteConfigName.ofProjectMuteConfigName)
      MuteConfig muteConfig =
          client.getMuteConfig(MuteConfigName.ofProjectMuteConfigName(projectId, muteConfigId));

      System.out.println("Retrieved the mute config: " + muteConfig);
    } catch (IOException e) {
      System.out.println("Mute rule retrieval failed! \n Exception: " + e);
    }
  }
}

Python

def get_mute_rule(mute_config_name: str) -> None:
    """
    Retrieves a mute configuration given its resource name.
    Args:
        mute_config_name: Name of the mute config to retrieve.
                          Use any one of the following formats:
                          - organizations/{organization}/muteConfigs/{config_id}
                          - folders/{folder}/muteConfigs/{config_id}
                          - projects/{project}/muteConfigs/{config_id}
    """
    from google.cloud import securitycenter

    client = securitycenter.SecurityCenterClient()

    request = securitycenter.GetMuteConfigRequest()
    request.name = mute_config_name

    mute_config = client.get_mute_config(request)
    print(f"Retrieved the mute rule: {mute_config.name}")

REST API

In the API, use the muteConfigs get method to make the following request. The request body is empty.

To get the CONFIG_ID for mute rules, first execute an API call to List mute rules. The response includes config IDs for returned mute rules.

GET https://securitycenter.googleapis.com/v1/RESOURCE/RESOURCE_ID/muteConfigs/CONFIG_ID

Replace the following:

  • RESOURCE: the parent resource for your mute rule (organizations, folders, or projects)
  • RESOURCE_ID: the numeric ID for the selected resource
  • CONFIG_ID: the numeric ID of the mute rule

Update mute rules

You can update mute rules by changing their descriptions and filters. However, you can't change mute rule IDs or parent resources. To change a mute rule ID, you must create a new mute rule.

If you previously unmuted findings, they will be muted again if they are matched by a mute rule updated in the Google Cloud console. For more information, see Unmuted findings override mute rules.

To update a mute rule, perform the following steps, or run any of the code samples.

Console

  1. In the Google Cloud console, go to the Mute rules tab in the Security Command Center Settings page.

    Go to Mute rules

  2. Select the Google Cloud project or organization that is the parent resource for the mute rule you want to modify. Project selector

  3. Click the name of the mute rule you want to modify.

    If you didn't select the appropriate project or organization, you might see a note informing you that you don't have permission to modify the mute rule.

  4. Enter a new description, and then click Save.

  5. Update or change the filter.

    For instructions, see Create mute rules.

  6. To view findings that match the updated filter, click Preview Matching Findings.

    A table loads with findings that match the new query.

  7. Click Save.

gcloud

  1. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

    At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  2. To update mute rules, run the gcloud scc muteconfigs update command:

      gcloud scc muteconfigs update MUTE_CONFIG_ID \
        --RESOURCE=RESOURCE_ID \
        --description=RULE_DESCRIPTION \
        --filter=FILTER
    

    Replace the following:

    • MUTE_CONFIG_ID: the ID for the mute config
    • RESOURCE: the parent resource for your mute rule (organization, folder, or project)
    • RESOURCE_ID: the numeric ID for the selected resource
    • RULE_DESCRIPTION: a description of the mute rule (max: 1,024 characters)
    • FILTER: the expression you define to filter findings

      For example, to mute OPEN_FIREWALL findings, your filter could be FILTER="category=\"OPEN_FIREWALL\"".

Go


import (
	"context"
	"fmt"
	"io"

	securitycenter "cloud.google.com/go/securitycenter/apiv1"
	"cloud.google.com/go/securitycenter/apiv1/securitycenterpb"
	"google.golang.org/protobuf/types/known/fieldmaskpb"
)

// updateMuteRule Updates an existing mute configuration.
// The following can be updated in a mute config: description and filter.
func updateMuteRule(w io.Writer, muteConfigName string) error {
	// Specify the name of the mute config to delete.
	// muteConfigName: Use any one of the following formats:
	//                 - organizations/{organization}/muteConfigs/{config_id}
	//                 - folders/{folder}/muteConfigs/{config_id}
	//                 - projects/{project}/muteConfigs/{config_id}
	// muteConfigName := fmt.Sprintf("projects/%s/muteConfigs/%s", "project-id", "mute-config")
	ctx := context.Background()
	client, err := securitycenter.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("securitycenter.NewClient: %w", err)
	}
	defer client.Close()

	updateMuteConfig := &securitycenterpb.MuteConfig{
		Name:        muteConfigName,
		Description: "Updated mute config description",
	}

	req := &securitycenterpb.UpdateMuteConfigRequest{
		MuteConfig: updateMuteConfig,
		// Set the update mask to specify which properties of the mute config should be
		// updated.
		// If empty, all mutable fields will be updated.
		// Make sure that the mask fields match the properties changed in 'updateMuteConfig'.
		// For more info on constructing update mask path, see the proto or:
		// https://cloud.google.com/security-command-center/docs/reference/rest/v1/folders.muteConfigs/patch?hl=en#query-parameters
		UpdateMask: &fieldmaskpb.FieldMask{
			Paths: []string{
				"description",
			},
		},
	}

	response, err := client.UpdateMuteConfig(ctx, req)
	if err != nil {
		return fmt.Errorf("mute rule update failed! %v", err)
	}
	fmt.Fprintf(w, "Mute rule updated %s", response.Name)
	return nil
}

Java


import com.google.cloud.securitycenter.v1.MuteConfig;
import com.google.cloud.securitycenter.v1.SecurityCenterClient;
import com.google.cloud.securitycenter.v1.UpdateMuteConfigRequest;
import com.google.protobuf.FieldMask;
import java.io.IOException;

public class UpdateMuteRule {

  public static void main(String[] args) {
    // TODO: Replace the variables within {}

    // Specify the name of the mute config to delete.
    // muteConfigName: Use any one of the following formats:
    //                 - organizations/{organization}/muteConfigs/{config_id}
    //                 - folders/{folder}/muteConfigs/{config_id}
    //                 - projects/{project}/muteConfigs/{config_id}
    String muteConfigName = "{any-one-of-the-above-formats}";
    updateMuteRule(muteConfigName);
  }

  // Updates an existing mute configuration.
  // The following can be updated in a mute config: description and filter.
  public static void updateMuteRule(String muteConfigName) {
    // Initialize client that will be used to send requests. This client only needs to be created
    // once, and can be reused for multiple requests. After completing all of your requests, call
    // the "close" method on the client to safely clean up any remaining background resources.
    try (SecurityCenterClient securityCenterClient = SecurityCenterClient.create()) {

      MuteConfig updateMuteConfig =
          MuteConfig.newBuilder()
              .setName(muteConfigName)
              .setDescription("Updated mute config description")
              .build();

      UpdateMuteConfigRequest updateMuteConfigRequest =
          UpdateMuteConfigRequest.newBuilder()
              .setMuteConfig(updateMuteConfig)
              // Set the update mask to specify which properties of the mute config should be
              // updated.
              // If empty, all mutable fields will be updated.
              // Make sure that the mask fields match the properties changed in 'updateMuteConfig'.
              // For more info on constructing update mask path, see the proto or:
              // https://cloud.google.com/security-command-center/docs/reference/rest/v1/folders.muteConfigs/patch?hl=en#query-parameters
              .setUpdateMask(FieldMask.newBuilder().addPaths("description").build())
              .build();

      MuteConfig response = securityCenterClient.updateMuteConfig(updateMuteConfigRequest);
      System.out.println(response);
    } catch (IOException e) {
      System.out.println("Mute rule update failed! \n Exception: " + e);
    }
  }
}

Python

def update_mute_rule(mute_config_name: str) -> None:
    """
    Updates an existing mute configuration.
    The following can be updated in a mute config: description, and filter/ mute rule.
    Args:
        mute_config_name: Specify the name of the mute config to delete.
                          Use any one of the following formats:
                          - organizations/{organization}/muteConfigs/{config_id}
                          - folders/{folder}/muteConfigs/{config_id}
                          - projects/{project}/muteConfigs/{config_id}
    """
    from google.cloud import securitycenter
    from google.protobuf import field_mask_pb2

    client = securitycenter.SecurityCenterClient()

    update_mute_config = securitycenter.MuteConfig()
    update_mute_config.name = mute_config_name
    update_mute_config.description = "Updated mute config description"

    field_mask = field_mask_pb2.FieldMask(paths=["description"])

    request = securitycenter.UpdateMuteConfigRequest()
    request.mute_config = update_mute_config
    # Set the update mask to specify which properties of the Mute Config should be updated.
    # If empty, all mutable fields will be updated.
    # Make sure that the mask fields match the properties changed in 'update_mute_config'.
    # For more info on constructing update mask path, see the proto or:
    # https://cloud.google.com/security-command-center/docs/reference/rest/v1/folders.muteConfigs/patch?hl=en#query-parameters
    request.update_mask = field_mask

    mute_config = client.update_mute_config(request)
    print(f"Updated mute rule : {mute_config}")

REST API

In the API, use the muteConfigs patch method to make the following request. The request body is an instance of MuteConfig.

To get the CONFIG_ID for mute rules, first execute an API call to list mute rules. The response includes config IDs for returned mute rules.

PATCH https://securitycenter.googleapis.com/v1/RESOURCE/RESOURCE_ID/muteConfigs/CONFIG_ID

  {
    "description": "RULE_DESCRIPTION",
    "filter": "FILTER",
  }

Replace the following:

  • RESOURCE: the parent resource for your mute rule (organizations, folders, or projects)
  • RESOURCE_ID: the numeric ID for the selected resource
  • CONFIG_ID: the numeric ID of the mute rule
  • RULE_DESCRIPTION: a description of the mute rule (max: 1,024 characters)
  • FILTER: the expression you define to filter findings

    For example, to mute OPEN_FIREWALL findings, your filter can be "category=\"OPEN_FIREWALL\"".

New findings that exactly match the filter are hidden, and the mute attribute for the findings is set to MUTED.

Updating mute rules doesn't automatically unmute any findings that were muted by previous rules. You must manually unmute findings.

Delete mute rules

Before deleting mute rules, understand the following:

  • You can't recover deleted mute rules.
  • Deleting mute rules doesn't automatically unmute any findings that are currently muted. You must manually or programmatically unmute findings.
  • Future findings that match filters in deleted mute rules aren't muted.

To delete a mute rule, perform the following steps, or run any of the code samples:

Console

  1. In the Google Cloud console, go to the Mute rules tab in the Security Command Center Settings page.

    Go to Mute rules

  2. If necessary, select your Google Cloud project or organization. Project selector

  3. Click the name of the mute rule you want to delete.

  4. Click Delete.

  5. Read the dialog and, if satisfied, click Delete.

gcloud

  1. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

    At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  2. To delete mute rules, run the gcloud scc muteconfigs delete command:

      gcloud scc muteconfigs delete MUTE_CONFIG_ID \
        --RESOURCE=RESOURCE_ID
    

    Replace the following:

    • MUTE_CONFIG_ID: the ID for the mute config
    • RESOURCE: the parent resource for your mute rule (organization, folder, or project)
    • RESOURCE_ID: the numeric ID for the selected resource
  3. Confirm your request to delete the mute rule.

Go


import (
	"context"
	"fmt"
	"io"

	securitycenter "cloud.google.com/go/securitycenter/apiv1"
	"cloud.google.com/go/securitycenter/apiv1/securitycenterpb"
)

// deleteMuteRule deletes a mute configuration given its resource name.
// Note: Previously muted findings are not affected when a mute config is deleted.
func deleteMuteRule(w io.Writer, parent string, muteConfigId string) error {
	// parent: Use any one of the following options:
	//             - organizations/{organization_id}
	//             - folders/{folder_id}
	//             - projects/{project_id}
	// parent := fmt.Sprintf("projects/%s", "your-google-cloud-project-id")
	//
	// muteConfigId: Specify the name of the mute config to delete.
	// muteConfigId := "mute-config-id"
	ctx := context.Background()
	client, err := securitycenter.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("securitycenter.NewClient: %w", err)
	}
	defer client.Close()

	req := &securitycenterpb.DeleteMuteConfigRequest{
		Name: fmt.Sprintf("%s/muteConfigs/%s", parent, muteConfigId),
	}

	if err := client.DeleteMuteConfig(ctx, req); err != nil {
		return fmt.Errorf("failed to delete Muteconfig: %w", err)
	}
	fmt.Fprintf(w, "Mute rule deleted successfully: %s", muteConfigId)
	return nil
}

Java


import com.google.cloud.securitycenter.v1.MuteConfigName;
import com.google.cloud.securitycenter.v1.SecurityCenterClient;
import java.io.IOException;

public class DeleteMuteRule {

  public static void main(String[] args) {
    // TODO(Developer): Replace the following variables
    // parentPath: Use any one of the following options:
    //             - organizations/{organization_id}
    //             - folders/{folder_id}
    //             - projects/{project_id}
    String parentPath = String.format("projects/%s", "your-google-cloud-project-id");

    // muteConfigId: Specify the name of the mute config to delete.
    String muteConfigId = "mute-config-id";

    deleteMuteRule(parentPath, muteConfigId);
  }

  // Deletes a mute configuration given its resource name.
  // Note: Previously muted findings are not affected when a mute config is deleted.
  public static void deleteMuteRule(String projectId, String muteConfigId) {
    // Initialize client that will be used to send requests. This client only needs to be created
    // once, and can be reused for multiple requests. After completing all of your requests, call
    // the "close" method on the client to safely clean up any remaining background resources.
    try (SecurityCenterClient client = SecurityCenterClient.create()) {
      // Use appropriate MuteConfigName methods depending on the type of parent.
      // org -> MuteConfigName.ofOrganizationMuteConfigName()
      // folder -> MuteConfigName.ofFolderMuteConfigName()
      // project -> MuteConfigName.ofProjectMuteConfigName)
      client.deleteMuteConfig(MuteConfigName.ofProjectMuteConfigName(projectId, muteConfigId));

      System.out.println("Mute rule deleted successfully: " + muteConfigId);
    } catch (IOException e) {
      System.out.println("Mute rule deletion failed! \n Exception: " + e);
    }
  }
}

Python

def delete_mute_rule(mute_config_name: str) -> None:
    """
    Deletes a mute configuration given its resource name.
    Note: Previously muted findings are not affected when a mute config is deleted.
    Args:
        mute_config_name: Specify the name of the mute config to delete.
                          Use any one of the following formats:
                          - organizations/{organization}/muteConfigs/{config_id}
                          - folders/{folder}/muteConfigs/{config_id} or
                          - projects/{project}/muteConfigs/{config_id}
    """
    from google.cloud import securitycenter

    client = securitycenter.SecurityCenterClient()

    request = securitycenter.DeleteMuteConfigRequest()
    request.name = mute_config_name

    client.delete_mute_config(request)
    print(f"Mute rule deleted successfully: {mute_config_name}")

REST API

In the API, use the muteConfigs delete method to make the following request. The request body is empty.

To get the CONFIG_ID for mute rules, execute an API call to list mute rules. The response includes config IDs for returned mute rules.

DELETE https://securitycenter.googleapis.com/v1/RESOURCE/RESOURCE_ID/muteConfigs/CONFIG_ID

Replace the following:

  • RESOURCE: the parent resource for your mute rule (organizations, folders, or projects)
  • RESOURCE_ID: the numeric ID for the selected resource
  • CONFIG_ID: the numeric ID of the mute rule

What's next

Learn more about filtering finding notifications.

Look through more examples of filters you can use.