Mute findings in cases

The SCC Enterprise - Urgent Posture Findings Connector ingests all findings into cases, but you might notice specific findings that appear irrelevant to your project or indicate an expected behavior. In this case, the flow of negligible findings might overcomplicate the security analyst workload and prevent analysts from effectively responding to important vulnerabilities. Instead of being constantly notified about the existing irrelevant findings in Security Command Center Enterprise, you can mute them.

When you mute findings for cases, you prevent them from appearing in cases. You can mute findings in bulk by running a manual action on a case or mute an individual finding by running a manual action on the specific alert.

Mute multiple findings

If you mute all findings in a case, Security Command Center automatically closes the case.

To mute multiple findings in a case, complete the following steps:

  1. In the Google Cloud console, open Risk > Cases.
  2. Select a case containing the findings to mute.
  3. In the Case Overview tab, click Manual Action.
  4. In the manual action Search field, input Update Finding.

  5. In the search results under the GoogleSecurityCommandCenter integration, select the Update Finding action. The action dialog window opens.

    By default, the Run on Alerts parameter is set to the All Alerts value.

  6. Optional: To change the Run on Alerts parameter default settings, select the relevant finding types from the drop-down list.

  7. To configure the Finding Name parameter, input the following placeholder: [Alert.TicketID]

    The placeholder dynamically retrieves finding names that correspond to selected alerts.

  8. To mute findings, set the Mute Status parameter to Mute.

  9. Click Execute.

Mute an individual finding

Muting an individual finding requires you to run the Update Finding action on a specific alert in the case. The action doesn't affect other alerts in the case.

To mute an individual finding, complete the following steps:

  1. In the Google Cloud console, go to Risk > Cases to open the Security Operations console Cases list page.
  2. Select a case containing the findings to mute.
  3. In a case, select the alert containing a finding to mute.
  4. In an alert, go to the Events tab.
  5. To retrieve a Finding Name from an event, click View More. The detailed view of the event opens.
  6. Under the Highlighted Fields section, find a Name field name. Click its value to see the full finding name.

  7. Copy the full finding name value in the following format:

    organizations/ORGANIZATION_ID/sources/SOURCE_ID/finding/FINDING_ID

  8. In the Alert Overview tab of the selected alert, click Manual Action.

  9. In the manual action Search field, enter Update Finding.

  10. In the search results under the GoogleSecurityCommandCenter integration, select the Update Finding action. The action dialog window opens.

    By default, the Run on Alerts parameter is set to the selected alert value.

  11. To configure the Finding Name parameter, paste the Name value that you've copied from the event detailed view.

  12. To mute a finding, set the Mute Status parameter to Mute.

  13. Click Execute.

What's next?