Stay organized with collections
Save and categorize content based on your preferences.
This document explains how you can group findings into cases.
These steps are performed using Security Operations console pages.
To open these pages from the Google Cloud console, go to
Settings > SOAR settings.
Overview
The findings grouping mechanism automatically groups ingested findings into
cases. By default, this grouping mechanism ensures that all findings in a case
belong to the same:
Resource owner
Google Cloud project
AWS account
Asset type
Category
Severity level
Configure grouping settings
To configure the default grouping settings applicable to all ingested findings,
follow these steps:
In the Security Operations console, go to Settings > Ingestion
> Connectors.
To customize the grouping mechanism and disable specific grouping options,
clear the checkboxes for one or more of the following parameters:
Group by AWS Account
Group by GCP Project
Group by Severity
Group by Asset Type
By default, the following grouping settings apply to ingested findings:
Group by AWS Account: Findings are grouped according to the AWS accounts
they belong to.
Group by GCP Project: Findings are grouped according to the Google Cloud
projects they belong to.
Group by Severity: Findings are grouped according to their severitylevel,
such as HIGH or MEDIUM.
Group by Asset Type: Findings are grouped according to their asset
type (Google Cloud resource type),
such as Compute Engine instance or IAM service account.
All findings that are grouped into a case belong to the same owner. To ensure
that findings are grouped correctly, including findings with no inherited
Google Cloud tags or Essential Contacts, always configure the
connector Fallback Owner parameter.
Example: How the grouping mechanism works
In this example, only findings from Google Cloud are used.
The connector ingests four findings with different severities
and different values inherited from their respective Google Cloud resources:
Selecting only the Group by GCP Project checkbox automatically groups findings
according to their Google Cloud projects so that a case only contains findings
belonging to the same project:
Selecting only the Group by Severity checkbox automatically groups findings
according to their severities so that a case only contains findings with the same
severity level:
Selecting only the Group by Asset Type checkbox automatically groups findings
according to their asset types (resource types in Google Cloud) so that a case
only contains findings belonging to the same resource:
Selecting both Group by GCP Project and Group by Severity checkboxes
automatically groups findings according to their respective projects and severity
levels so that a case only contains findings belonging to the same project and
possessing the same severity. In this example, the connector creates four
following cases:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Group findings in cases\n\n| Enterprise [service tier](/security-command-center/docs/service-tiers)\n\nThis document explains how you can group findings into cases.\n\nThese steps are performed using Security Operations console pages.\nTo open these pages from the Google Cloud console, go to\n**Settings \\\u003e SOAR settings**.\n\nOverview\n--------\n\nThe findings grouping mechanism automatically groups ingested findings into\ncases. By default, this grouping mechanism ensures that all findings in a case\nbelong to the same:\n\n- Resource owner\n- Google Cloud project\n- AWS account\n- Asset type\n- Category\n- Severity level\n\nConfigure grouping settings\n---------------------------\n\nTo configure the default grouping settings applicable to all ingested findings,\nfollow these steps:\n\n1. In the Security Operations console, go to **Settings \\\u003e Ingestion\n \\\u003e Connectors**.\n\n2. Select **SCC Enterprise - Urgent Posture Findings Connector**.\n\n3. To customize the grouping mechanism and disable specific grouping options,\n clear the checkboxes for one or more of the following parameters:\n\n - `Group by AWS Account`\n - `Group by GCP Project`\n - `Group by Severity`\n - `Group by Asset Type`\n\n| **Important:** When customizing the grouping mechanism, we recommend to always select the **Group by GCP Project** and **Group by Asset Type** checkboxes and the **Group by AWS Account**, if the latter applies.\n\nBy default, the following grouping settings apply to ingested findings:\n\n- **Group by AWS Account**: Findings are grouped according to the AWS accounts\n they belong to.\n\n- **Group by GCP Project**: Findings are grouped according to the Google Cloud\n projects they belong to.\n\n- **Group by Severity** : Findings are grouped according to their `severity`\n [level](/security-command-center/docs/finding-severity-classifications),\n such as `HIGH` or `MEDIUM`.\n\n- **Group by Asset Type** : Findings are grouped according to their asset\n type (Google Cloud [resource type](/resource-manager/docs/cloud-platform-resource-hierarchy)),\n such as Compute Engine instance or IAM service account.\n\nAll findings that are grouped into a case belong to the same owner. To ensure\nthat findings are grouped correctly, including findings with no inherited\nGoogle Cloud tags or Essential Contacts, always configure the\nconnector `Fallback Owner` parameter.\n\n### Example: How the grouping mechanism works\n\nIn this example, only findings from Google Cloud are used.\n\nThe connector ingests four findings with different severities\nand different values inherited from their respective Google Cloud resources:\n\n- Finding 1: Severity: `Critical`, Asset Type: `Compute`, Project: `Project_1`\n\n- Finding 2: Severity: `Critical`, Asset Type: `IAM`, Project: `Project_2`\n\n- Finding 3: Severity: `High`, Asset Type: `Compute`, Project: `Project_1`\n\n- Finding 4: Severity: `High`, Asset Type: `Compute`, Project: `Project_2`\n\n#### Default grouping mechanism\n\nDefault settings mean that the findings are grouped according to their respective\nprojects, asset types, and severity property.\n\nIn this example, every finding is included in a different case.\n\n- Case 1:\n\n - Finding 1: Severity: **`Critical`** , Asset Type: **`Compute`** , Project: **`Project_1`**\n- Case 2:\n\n - Finding 2: Severity: **`Critical`** , Asset Type: **`IAM`** , Project: **`Project_2`**\n- Case 3:\n\n - Finding 3: Severity: **`High`** , Asset Type: **`Compute`** , Project: **`Project_1`**\n- Case 4:\n\n - Finding 4: Severity: **`High`** , Asset Type: **`Compute`** , Project: **`Project_2`**\n\n#### Custom grouping mechanism\n\nSelecting only the **Group by GCP Project** checkbox automatically groups findings\naccording to their Google Cloud projects so that a case only contains findings\nbelonging to the same project:\n\n- Case 1:\n\n - Finding 1: Severity `Critical`, Asset Type: `Compute`, Project: **`Project_1`**\n - Finding 3: Severity `High`, Asset Type: `Compute`, Project: **`Project_1`**\n- Case 2:\n\n - Finding 2: Severity `Critical`, Asset Type: `IAM`, Project: **`Project_2`**\n - Finding 4: Severity `High`, Asset Type: `Compute`, Project: **`Project_2`**\n\nSelecting only the **Group by Severity** checkbox automatically groups findings\naccording to their severities so that a case only contains findings with the same\nseverity level:\n\n- Case 1:\n\n - Finding 1: Severity: **`Critical`** , Asset Type: `Compute`, Project: `Project_1`\n - Finding 2: Severity: **`Critical`** , Asset Type: `IAM`, Project: `Project_2`\n- Case 2:\n\n - Finding 3: Severity: **`High`** , Asset Type: `Compute`, Project: `Project_1`\n - Finding 4: Severity: **`High`** , Asset Type: `Compute`, Project: `Project_2`\n\nSelecting only the **Group by Asset Type** checkbox automatically groups findings\naccording to their asset types (resource types in Google Cloud) so that a case\nonly contains findings belonging to the same resource:\n\n- Case 1:\n\n - Finding 1: Severity: `Critical`, Asset Type: **`Compute`** , Project: `Project_1`\n - Finding 3: Severity: `High`, Asset Type: **`Compute`** , Project: `Project_1`\n - Finding 4: Severity: `High`, Asset Type: **`Compute`** , Project: `Project_2`\n- Case 2:\n\n - Finding 2: Severity: `Critical`, Asset Type: **`IAM`** , Project: `Project_2`\n\nSelecting both **Group by GCP Project** and **Group by Severity** checkboxes\nautomatically groups findings according to their respective projects and severity\nlevels so that a case only contains findings belonging to the same project *and*\npossessing the same severity. In this example, the connector creates four\nfollowing cases:\n\n- Case 1:\n\n - Finding 1: Severity: **`Critical`** , Asset Type: `Compute`, Project: **`Project_1`**\n- Case 2:\n\n - Finding 2: Severity: **`Critical`** , Resource Type: `IAM`, Project: **`Project_2`**\n- Case 3:\n\n - Finding 3: Severity: **`High`** , Resource Type: `Compute`, Project: **`Project_1`**\n- Case 4:\n\n - Finding 4: Severity: **`High`** , Resource Type: `Compute`, Project: **`Project_2`**\n\nWhat's next?\n------------\n\n- Learn more about [alerts](/chronicle/docs/soar/investigate/working-with-alerts/whats-on-the-alert-overview-tab) in the Google SecOps documentation."]]
