Review cases for identity and access issues

Stay organized with collections Save and categorize content based on your preferences.

This page explains how to review cases corresponding to identity and access findings in Security Command Center.

Security Command Center automatically creates cases for threat findings, toxic combinations, and findings related to toxic combinations.

Before you begin

Make sure you have completed the following tasks before continuing:

• Learn about Security Command Center's CIEM capabilities.
• Set up permissions for CIEM.
• Enable the CIEM detection service for AWS.
• Connect your ticketing system.

View case details

To view the case details of an identity and access misconfiguration case from the Findings page, take the following steps:

1. In the Google Cloud console, select Findings in the navigation.
2. Click Identity to display a pre-filtered query for identity and access findings.
3. Identify a finding with a value in the Case ID column.

4. Do one of the following to open the case details:

   • Click the value in the Case ID column.
   • Click the finding name in the Category column. In the Finding details pane, go to the Case information section. Click the case ID number in the Case ID row.

   The Cases window opens and displays details about the case, including the following information:

   • List of alert events associated with the case
   • Playbooks attached to the alert
   • A finding description
   • Next steps for remediation
   • Information about the impacted asset
   • Ticket information (if you connected your ticketing system to Security Command Center)

5. If you have connected Security Command Center to Jira or ServiceNow, you can use the ticket ID link to navigate to your ticketing system.

6. Check the Case Wall tab for details about the activity performed on the case and included alerts.

7. Check the Case Overview tab for a full overview of the case.

On the Cases page, you can see all cases created for your environment, not just identity and access cases. You can navigate all existing cases in the cases list on the left side of the page. You can also search and filter the list to make it easier to identify cases to focus on.

For more information on working with cases, see Cases overview.

What's next

• Learn how to investigate identity and access findings.
• Learn more about cases from the Google SecOps documentation:
  • Cases overview tab
  • What's on the Cases page?
  • How to perform a manual action on a case
  • How to simulate cases
  • Work with playbook blocks