Mute findings in cases

This document describes how muting findings using the Security Operations console capabilities can help reduce the number of findings ingested in Security Command Center Enterprise.

Cases, alerts, and the SCC Enterprise - Urgent Posture Findings Connector are a functionality powered by Google Security Operations.

Overview

Muting findings for cases in the Security Operations console prevents them from appearing in cases. You can mute findings in bulk by running a manual action on a case or mute an individual finding by running a manual action on the specific alert.

The SCC Enterprise - Urgent Posture Findings Connector ingests all findings into cases, but you might notice specific findings that appear irrelevant to your project or indicate an expected behavior. In this case, the flow of negligible findings might overcomplicate the security analyst workload and prevent analysts from effectively responding to important vulnerabilities. Instead of being constantly notified about the existing irrelevant findings in Security Command Center Enterprise, you can mute them.

Mute multiple findings

To mute multiple findings in a case, complete the following steps:

  1. In the Security Operations console, go to Cases.
  2. Select a case containing the findings to mute.
  3. In the Case Overview tab, click Manual Action.
  4. In the manual action Search field, input Update Finding.

  5. In the search results under the GoogleSecurityCommandCenter integration, select the Update Finding action. The action dialog window opens.

    By default, the Run on Alerts parameter is set to the All Alerts value.

  6. Optional: To change the Run on Alerts parameter default settings, select the relevant finding types from the drop-down list.

  7. To configure the Finding Name parameter, input the following placeholder: [Alert.TicketID]

    The placeholder dynamically retrieves finding names that correspond to selected alerts.

  8. To mute findings, set the Mute Status parameter to Mute.

  9. Click Execute.

Mute an individual finding

Muting an individual finding requires you to run the Update Finding action on a specific alert in the case. The action doesn't affect other alerts in the case.

To mute an individual finding, complete the following steps:

  1. In the Security Operations console, go to Cases.
  2. Select a case containing the findings to mute.
  3. In a case, select the alert containing a finding to mute.
  4. In an alert, go to the Events tab.
  5. To retrieve a Finding Name from an event, click View More. The detailed view of the event opens.

  6. Under the Highlighted Fields section, find a Name field name. Click its value to see the full finding name. Copy the full finding name value in the following format:

    organizations/ORGANIZATION_ID/sources/SOURCE_ID/finding/FINDING_ID

  7. In the Alert Overview tab of the selected alert, click Manual Action.

  8. In the manual action Search field, enter Update Finding.

  9. In the search results under the GoogleSecurityCommandCenter integration, select the Update Finding action. The action dialog window opens.

    By default, the Run on Alerts parameter is set to the selected alert value.

  10. To configure the Finding Name parameter, paste the Name value that you've copied from the event detailed view.

  11. To mute a finding, set the Mute Status parameter to Mute.

  12. Click Execute.

What's next?