To view the case details of an identity and access misconfiguration case from
the Findings page, take the following steps:
In the Google Cloud console, select Findings in the navigation.
Click Identity to display a pre-filtered query for identity and access
findings.
Identify a finding with a value in the Case ID column.
Do one of the following to open the case details:
Click the value in the Case ID column.
Click the finding name in the Category column. In the Finding
details pane, go to the Case information section. Click the case ID
number in the Case ID row.
The Cases window opens and displays details about the case, including the
following information:
List of alert events associated with the case
Playbooks attached to the alert
A finding description
Next steps for remediation
Information about the impacted asset
Ticket information (if you connected your ticketing system to Security Command Center)
If you have connected Security Command Center to Jira or ServiceNow, you
can use the ticket ID link to navigate to your ticketing system.
Check the Case Wall tab for details about the activity performed on the
case and included alerts.
Check the Case Overview tab for a full overview of the case.
On the Cases page, you can see all cases created for your environment,
not just identity and access cases. You can navigate all
existing cases in the cases list on the left side of the page. You can
also search and filter the list to make it easier to identify cases to
focus on.
For more information on working with cases, see
Cases overview.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Review cases for identity and access issues\n\n| Enterprise [service tier](/security-command-center/docs/service-tiers) (not available if [data residency controls](docs/data-residency-support) are enabled)\n\nThis page explains how to review cases corresponding to identity and access\nfindings in Security Command Center.\n\nSecurity Command Center automatically creates cases for threat findings, toxic combinations, and findings related to toxic combinations.\n\nBefore you begin\n----------------\n\nMake sure you have completed the following tasks before continuing:\n\n- Learn about [Security Command Center's CIEM capabilities](/security-command-center/docs/ciem-overview).\n- [Set up permissions for CIEM](/security-command-center/docs/ciem-enable-service#ciem-permissions).\n- [Enable the CIEM detection service for AWS](/security-command-center/docs/ciem-enable-service).\n- [Connect your ticketing system](/security-command-center/docs/integrate-ticketing-systems).\n\nView case details\n-----------------\n\nTo view the case details of an identity and access misconfiguration case from\nthe **Findings** page, take the following steps:\n\n1. In the Google Cloud console, select **Findings** in the navigation.\n2. Click **Identity** to display a pre-filtered query for identity and access findings.\n3. Identify a finding with a value in the **Case ID** column.\n4. Do one of the following to open the case details:\n\n - Click the value in the **Case ID** column.\n - Click the finding name in the **Category** column. In the **Finding\n details** pane, go to the **Case information** section. Click the case ID number in the **Case ID** row.\n\n The **Cases** window opens and displays details about the case, including the\n following information:\n - List of alert events associated with the case\n - Playbooks attached to the alert\n - A finding description\n - Next steps for remediation\n - Information about the impacted asset\n - Ticket information (if you connected your ticketing system to Security Command Center)\n5. If you have connected Security Command Center to Jira or ServiceNow, you\n can use the ticket ID link to navigate to your ticketing system.\n\n6. Check the **Case Wall** tab for details about the activity performed on the\n case and included alerts.\n\n7. Check the **Case Overview** tab for a full overview of the case.\n\nOn the **Cases** page, you can see all cases created for your environment,\nnot just identity and access cases. You can navigate all\nexisting cases in the cases list on the left side of the page. You can\nalso search and filter the list to make it easier to identify cases to\nfocus on.\n\nFor more information on working with cases, see\n[Cases overview](/security-command-center/docs/cases-overview).\n\nWhat's next\n-----------\n\n- Learn how to [investigate identity and access findings](/security-command-center/docs/ciem-identity-access-findings).\n- Learn more about cases from the Google SecOps documentation:\n - [Cases overview tab](/chronicle/docs/soar/investigate/working-with-cases/whats-on-the-case-overview-tab)\n - [What's on the Cases page?](/chronicle/docs/soar/investigate/working-with-cases/whats-on-the-cases-screen)\n - [How to perform a manual action on a case](/chronicle/docs/soar/investigate/working-with-cases/perform-a-manual-action)\n - [How to simulate cases](/chronicle/docs/soar/investigate/working-with-cases/simulate-cases)\n - [Work with playbook blocks](/chronicle/docs/soar/respond/working-with-playbooks/working-with-playbook-blocks)"]]
