Using security marks

You can use security marks, or "marks," in Security Command Center to annotate assets or findings in Security Command Center and then search, select, or filter using the mark. You can provide ACL annotations on assets and findings using security marks. Then, you can filter the assets and findings by these annotations for management, policy application, or integration with your workflow. You can also use marks to add priority, access level, or sensitivity classifications.

You can add or update security marks only on assets that are supported by Security Command Center. For a list of the assets that Security Command Center supports, see Supported asset types in Security Command Center.

Before you begin

To add or change security marks, you must have an Identity and Access Management (IAM) role that includes permissions for the kind of mark that you want to use:

  • Asset marks: Asset Security Marks Writer, securitycenter.assetSecurityMarksWriter
  • Finding marks: Finding Security Marks Writer, securitycenter.findingSecurityMarksWriter

The IAM roles for Security Command Center can be granted at the organization, folder, or project level. Your ability to view, edit, create, or update findings, assets, and security sources depends on the level for which you are granted access. To learn more about Security Command Center roles, see Access control.

Security marks

Security marks are unique to Security Command Center. IAM permissions apply to security marks, and they are restricted to only users who have the appropriate Security Command Center roles. Reading and editing marks require the Security Center Asset Security Marks Writer and Security Center Finding Security Marks Writer roles. These roles don't include permissions to access the underlying resource.

Security marks enable you to add your business context for assets and findings. Because IAM roles apply to security marks, they can be be used to filter and enforce policies on assets and findings.

Security marks are processed during batch scans—which run twice daily—and not in real time. There may be a delay of 12 to 24 hours before security marks are processed and enforcement policies that resolve or reopen findings are applied.

Labels and tags

Labels and tags are similar kinds of metadata that you can use with Security Command Center, but they have a slightly different use and permissions model than security marks.

Labels are user-level annotations that are applied to specific resources and are supported across multiple Google Cloud products. Labels are primarily used for billing accounting and attribution.

There are two types of tags in Google Cloud:

  • Network tags are user-level annotations, specific to Compute Engine resources. Network tags are primarily used to define security groups, network segmentation, and firewall rules.

  • Resource tags, or tags, are key-value pairs that can be attached to an organization, folder, or project. You can use tags to conditionally allow or deny policies based on whether a resource has a specific tag.

Reading or updating labels and tags is tied to the permissions on the underlying resource. Labels and tags are ingested as part of the resource attributes in the Security Command Center assets display. You can search for specific label and tag presence, and specific keys and values, during post-processing of List API results.

Adding security marks to assets and findings

You can add security marks to all resources that are supported by Security Command Center, including all asset types and findings.

Marks are visible in the Google Cloud console and Security Command Center API output, and can be used to filter, define policy groups, or add business context to assets and findings. Asset marks are separate from finding marks. Asset marks are not automatically added to findings for assets.

Security marks in the assets display

The following steps show you how to add security marks to assets on the Assets page:

  1. Go to the Security Command Center Assets page in the Google Cloud console.

    Go to Assets

  2. From the project selector, select the project, folder, or organization that contains the assets you need to mark.

  3. On the assets display that appears, select the checkbox for each assets that you want to mark.

  4. Select Set Security Marks.

  5. In the Security Marks dialog box that appears, click Add mark.

  6. Specify one or more security marks by adding Key and Value items.

    For example, if you want to mark projects that are in a production stage, add a key of "stage" and a value of "prod". Each select project then has the new mark.stage: prod, which you can use to filter them.

  7. To edit an existing mark, update text in the Value field. You can delete marks by clicking the trash icon next to the mark, .

  8. When you're finished adding marks, click Save.

The assets you selected are now associated with a mark. By default, marks display as a column in the assets display.

For information on dedicated asset marks for Security Health Analytics detectors, see Managing policies later on this page.

Add security marks to findings

The following steps add security marks to findings by using the Google Cloud console. After adding security marks, you can use them to filter the findings in the Findings query results panel.

To add security marks to findings:

  1. Go to the Security Command Center Findings page in the Google Cloud console.

    Go to the Findings page

  2. Select the project or organization you want to review.

  3. In the Findings query results panel, select one or more findings to add a security mark to by selecting their checkboxes.

  4. Select Set security marks.

  5. In the Security Marks dialog that appears, click Add mark.

  6. Specify the security mark as Key and Value items.

    For example, if you want to mark findings that are part of the same incident, add a key of "incident-number" and a value of "1234". Each finding then has the new mark.incident-number: 1234.

  7. To edit an existing mark, update text in the Value field.

  8. To delete marks, click the trash icon next to the mark.

  9. When you're finished adding marks, click Save.

Managing policies

To suppress findings, you can manually or programmatically mute individual findings or create mute rules that automatically mute current and future findings based on filters you define. For more information, see Mute findings in Security Command Center.

Muting findings is the recommended method when you don't want to review findings for projects that are isolated or fall within acceptable business parameters.

Alternatively, you can set marks on assets to explicitly include or exclude those resources from specific policies. Each Security Health Analytics detector has a dedicated mark type that enables you to exclude marked resources from the detection policy, by adding a security mark allow_finding- type. For example, to exclude the finding type SSL_NOT_ENFORCED, use the security mark allow_ssl_not_enforced:true. This mark type provides granularity of control for each resource and detector. For more information about using security marks in Security Health Analytics, see Marking assets and findings with security marks.

What's next