Using security marks

Use security marks, or "marks," in Security Command Center to annotate assets or findings in Security Command Center and then search, select, or filter using the mark. You can provide ACL annotations on assets and findings using security marks. Then you can group them by these annotations for management, policy application, or integration with workflow. You can also use marks to add priority, access level, or sensitivity classifications.

Before you begin

To add or change security marks, you must have an Identity and Access Management (IAM) role that includes permissions for the kind of mark that you want to use:

  • Asset marks: Asset Security Marks Writer, securitycenter.assetSecurityMarksWriter
  • Finding marks: Finding Security Marks Writer, securitycenter.findingSecurityMarksWriter

Security marks, labels, and tags

Security marks are unique to Security Command Center and only exist in the Security Command Center database. IAM permissions apply to security marks, and they are restricted to only users who have the appropriate Security Command Center roles. Reading and editing marks require the Security Center Asset Security Marks Writer and Security Center Finding Security Marks Writer roles. These roles don't include permissions to access the underlying resource.

Security marks enable you to add your business context for assets and findings. Labels and tags are similar kinds of metadata that are available through Security Command Center, but they have a slightly different use and permissions model. Because IAM roles apply to security marks, they can be used to group and enforce policies on both assets and findings.

Labels are user-level annotations that are applied to specific resources and are supported across multiple Google Cloud products. Labels are primarily used for billing accounting and attribution.

Tags are also a user-level annotation, specific to Compute Engine resources. Tags are primarily used to define security groups, network segmentation, and firewall rules.

Reading or updating labels and tags is tied to the permissions on the underlying resource. Labels and tags are ingested as part of the resource attributes in the Security Command Center assets display. You can search for specific label and tag presence, and specific keys and values, during post-processing of List API results.

Using security marks

You can use security marks to group, filter, define policy groups, or add business context to assets and findings in Security Command Center. Asset marks are separate from finding marks. Asset marks are not automatically added to findings for assets.

Security marks in the assets display

The following steps let you filter projects as assets that you group under the same mark:

  1. Go to the Security Command Center Assets page in the Cloud Console.
    Go to the Assets page
  2. Select the organization you want to review.
  3. On the assets display that appears, under resourceProperties.name, select checkboxes for two or more projects that you want to mark.
  4. Select Set Security Marks.
  5. In the Security Marks dialog box that appears, click Add mark.
  6. Identify the projects by adding Key and Value items.

    For example, if you want to mark projects that are in a production stage, add a key of "stage" and a value of "prod". Each project then has the new mark.stage: prod.

  7. To edit an existing mark, update text in the Value field. You can delete marks by clicking the trash icon next to the mark.

  8. When you're finished adding marks, click Save.

The projects you selected are now associated with a mark. By default, marks display as a column in the assets display.

Read Managing policies for information on dedicated asset marks for Security Health Analytics detectors.

Security marks in the findings display

The following steps let you filter findings that you group under the same mark:

  1. Go to the Security Command Center Findings page in the Cloud Console.
    Go to the Findings page
  2. Select the organization you want to review.
  3. On the findings display that appears, under category, select checkboxes for two or more finding categories that you want to mark.
  4. Select Set security marks.
  5. In the Security Marks dialog that appears, click Add mark.
  6. Identify the finding categories by adding Key and Value items.

    For example, if you want to mark findings that are part of the same incident, add a key of "incident-number" and a value of "1234". Each finding then has the new mark.incident-number: 1234.

  7. To edit an existing mark, update text in the Value field.

  8. To delete marks, click the trash icon next to the mark.

  9. When you're finished adding marks, click Save.

Managing policies

You can set marks on assets to explicitly include or exclude those resources from specific policies. Each Security Health Analytics detector has a dedicated mark type that enables you to exclude marked resources from the detection policy, by adding a security mark allow_finding-type. For example, to exclude the finding type SSL_NOT_ENFORCED, use the security mark allow_ssl_not_enforced:true. This mark type provides granularity of control for each resource and detector. For more information about setting marks on Security Health Analytics findings, see using Security Health Analytics.

What's next