Stay organized with collections
Save and categorize content based on your preferences.
The SCC Enterprise - Urgent Posture Findings Connector ingests all findings
into cases, but you might notice specific findings that appear irrelevant to your
project or indicate an expected behavior. In this case, the flow of negligible
findings might overcomplicate the security analyst workload and prevent analysts
from effectively responding to important vulnerabilities. Instead of being
constantly notified about the existing irrelevant findings in Security Command Center
Enterprise, you can mute them.
When you mute findings for cases, you prevent them from appearing in cases. You can mute findings in bulk by running a manual
action on a case or mute an individual finding by running a manual action on the
specific alert.
Mute multiple findings
If you mute all findings in a case, Security Command Center automatically closes the
case.
To mute multiple findings in a case, complete the following steps:
In the Google Cloud console, open Risk > Cases.
Select a case containing the findings to mute.
In the Case Overview tab, click Manual Action.
In the manual action Search field, input Update Finding.
In the search results under the GoogleSecurityCommandCenter integration,
select the Update Finding action. The action dialog window opens.
By default, the Run on Alerts parameter is set to the All Alerts
value.
Optional: To change the Run on Alerts parameter default settings, select
the relevant finding types from the drop-down list.
To configure the Finding Name parameter, input the following placeholder:
[Alert.TicketID]
The placeholder dynamically retrieves finding names that correspond to
selected alerts.
To mute findings, set the Mute Status parameter to Mute.
Click Execute.
Mute an individual finding
Muting an individual finding requires you to run the Update Finding action on
a specific alert in the case. The action doesn't affect other alerts
in the case.
To mute an individual finding, complete the following steps:
In the Google Cloud console, go to Risk > Cases to
open the Security Operations console Cases list page.
Select a case containing the findings to mute.
In a case, select the alert containing a finding to mute.
In an alert, go to the Events tab.
To retrieve a Finding Name from an event, click View More. The
detailed view of the event opens.
Under the Highlighted Fields section, find a Name field name. Click
its value to see the full finding name.
Copy the full finding name value in the following format:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Mute findings in cases\n\n| Enterprise [service tier](/security-command-center/docs/service-tiers)\n\nThe **SCC Enterprise - Urgent Posture Findings Connector** ingests all findings\ninto cases, but you might notice specific findings that appear irrelevant to your\nproject or indicate an expected behavior. In this case, the flow of negligible\nfindings might overcomplicate the security analyst workload and prevent analysts\nfrom effectively responding to important vulnerabilities. Instead of being\nconstantly notified about the existing irrelevant findings in Security Command Center\nEnterprise, you can mute them.\n\nWhen you mute findings for cases, you prevent them from appearing in cases. You can mute findings in bulk by running a manual\naction on a case or mute an individual finding by running a manual action on the\nspecific alert.\n\nMute multiple findings\n----------------------\n\nIf you mute all findings in a case, Security Command Center automatically closes the\ncase.\n\nTo mute multiple findings in a case, complete the following steps:\n\n1. In the Google Cloud console, open **Risk \\\u003e Cases**.\n2. Select a case containing the findings to mute.\n3. In the **Case Overview** tab, click **Manual Action**.\n4. In the manual action **Search** field, input `Update Finding`.\n5. In the search results under the **GoogleSecurityCommandCenter** integration,\n select the **Update Finding** action. The action dialog window opens.\n\n By default, the **Run on Alerts** parameter is set to the **All Alerts**\n value.\n | **Note:** The **All Alerts** value means that the action retrieves the **Finding\n | Name** value from each alert in a case and extracts all finding IDs in one action run.\n6. Optional: To change the **Run on Alerts** parameter default settings, select\n the relevant finding types from the drop-down list.\n\n7. To configure the **Finding Name** parameter, input the following placeholder:\n `[Alert.TicketID]`\n\n The placeholder dynamically retrieves finding names that correspond to\n selected alerts.\n8. To mute findings, set the **Mute Status** parameter to **Mute**.\n\n9. Click **Execute**.\n\nMute an individual finding\n--------------------------\n\nMuting an individual finding requires you to run the *Update Finding* action on\na specific alert in the case. The action doesn't affect other alerts\nin the case.\n\nTo mute an individual finding, complete the following steps:\n\n1. In the Google Cloud console, go to **Risk \\\u003e Cases** to open the Security Operations console **Cases list** page.\n2. Select a case containing the findings to mute.\n3. In a case, select the alert containing a finding to mute.\n4. In an alert, go to the **Events** tab.\n5. To retrieve a **Finding Name** from an event, click **View More**. The detailed view of the event opens.\n6. Under the **Highlighted Fields** section, find a **Name** field name. Click its value to see the full finding name.\n7. Copy the full finding name value in the following format:\n\n organizations/\u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e/sources/\u003cvar translate=\"no\"\u003eSOURCE_ID\u003c/var\u003e/finding/\u003cvar translate=\"no\"\u003eFINDING_ID\u003c/var\u003e\n\n8. In the **Alert Overview** tab of the selected alert, click\n **Manual Action**.\n\n9. In the manual action **Search** field, enter `Update Finding`.\n\n10. In the search results under the **GoogleSecurityCommandCenter** integration,\n select the **Update Finding** action. The action dialog window opens.\n\n By default, the **Run on Alerts** parameter is set to the selected alert\n value.\n11. To configure the **Finding Name** parameter, paste the **Name** value that\n you've copied from the event detailed view.\n\n12. To mute a finding, set the **Mute Status** parameter to **Mute**.\n\n13. Click **Execute**.\n\nWhat's next?\n------------\n\n- Learn how you can\n [mute findings in Security Command Center](/security-command-center/docs/how-to-mute-findings).\n\n- Learn more about the [cases](/chronicle/docs/soar/investigate/working-with-cases/cases-overview)\n in the Google SecOps documentation."]]
