This document explains how you can group findings into cases.
These steps are performed using Security Operations console pages. To open these pages from the Google Cloud console, go to Settings > SOAR settings.
Overview
The findings grouping mechanism automatically groups ingested findings into cases. By default, this grouping mechanism ensures that all findings in a case belong to the same:
- Resource owner
- Google Cloud project
- AWS account
- Asset type
- Category
- Severity level
Configure grouping settings
To configure the default grouping settings applicable to all ingested findings, follow these steps:
- In the Security Operations console, go to Settings > Ingestion > Connectors. 
- Select SCC Enterprise - Urgent Posture Findings Connector. 
- To customize the grouping mechanism and disable specific grouping options, clear the checkboxes for one or more of the following parameters: - Group by AWS Account
- Group by GCP Project
- Group by Severity
- Group by Asset Type
 
By default, the following grouping settings apply to ingested findings:
- Group by AWS Account: Findings are grouped according to the AWS accounts they belong to. 
- Group by GCP Project: Findings are grouped according to the Google Cloud projects they belong to. 
- Group by Severity: Findings are grouped according to their - severitylevel, such as- HIGHor- MEDIUM.
- Group by Asset Type: Findings are grouped according to their asset type (Google Cloud resource type), such as Compute Engine instance or IAM service account. 
All findings that are grouped into a case belong to the same owner. To ensure
that findings are grouped correctly, including findings with no inherited
Google Cloud tags or Essential Contacts, always configure the
connector Fallback Owner parameter.
Example: How the grouping mechanism works
In this example, only findings from Google Cloud are used.
The connector ingests four findings with different severities and different values inherited from their respective Google Cloud resources:
- Finding 1: Severity: - Critical, Asset Type:- Compute, Project:- Project_1
- Finding 2: Severity: - Critical, Asset Type:- IAM, Project:- Project_2
- Finding 3: Severity: - High, Asset Type:- Compute, Project:- Project_1
- Finding 4: Severity: - High, Asset Type:- Compute, Project:- Project_2
Default grouping mechanism
Default settings mean that the findings are grouped according to their respective projects, asset types, and severity property.
In this example, every finding is included in a different case.
- Case 1: - Finding 1: Severity: Critical, Asset Type:Compute, Project:Project_1
 
- Finding 1: Severity: 
- Case 2: - Finding 2: Severity: Critical, Asset Type:IAM, Project:Project_2
 
- Finding 2: Severity: 
- Case 3: - Finding 3: Severity: High, Asset Type:Compute, Project:Project_1
 
- Finding 3: Severity: 
- Case 4: - Finding 4: Severity: High, Asset Type:Compute, Project:Project_2
 
- Finding 4: Severity: 
Custom grouping mechanism
Selecting only the Group by GCP Project checkbox automatically groups findings according to their Google Cloud projects so that a case only contains findings belonging to the same project:
- Case 1: - Finding 1: Severity Critical, Asset Type:Compute, Project:Project_1
- Finding 3: Severity High, Asset Type:Compute, Project:Project_1
 
- Finding 1: Severity 
- Case 2: - Finding 2: Severity Critical, Asset Type:IAM, Project:Project_2
- Finding 4: Severity High, Asset Type:Compute, Project:Project_2
 
- Finding 2: Severity 
Selecting only the Group by Severity checkbox automatically groups findings according to their severities so that a case only contains findings with the same severity level:
- Case 1: - Finding 1: Severity: Critical, Asset Type:Compute, Project:Project_1
- Finding 2: Severity: Critical, Asset Type:IAM, Project:Project_2
 
- Finding 1: Severity: 
- Case 2: - Finding 3: Severity: High, Asset Type:Compute, Project:Project_1
- Finding 4: Severity: High, Asset Type:Compute, Project:Project_2
 
- Finding 3: Severity: 
Selecting only the Group by Asset Type checkbox automatically groups findings according to their asset types (resource types in Google Cloud) so that a case only contains findings belonging to the same resource:
- Case 1: - Finding 1: Severity: Critical, Asset Type:Compute, Project:Project_1
- Finding 3: Severity: High, Asset Type:Compute, Project:Project_1
- Finding 4: Severity: High, Asset Type:Compute, Project:Project_2
 
- Finding 1: Severity: 
- Case 2: - Finding 2: Severity: Critical, Asset Type:IAM, Project:Project_2
 
- Finding 2: Severity: 
Selecting both Group by GCP Project and Group by Severity checkboxes automatically groups findings according to their respective projects and severity levels so that a case only contains findings belonging to the same project and possessing the same severity. In this example, the connector creates four following cases:
- Case 1: - Finding 1: Severity: Critical, Asset Type:Compute, Project:Project_1
 
- Finding 1: Severity: 
- Case 2: - Finding 2: Severity: Critical, Resource Type:IAM, Project:Project_2
 
- Finding 2: Severity: 
- Case 3: - Finding 3: Severity: High, Resource Type:Compute, Project:Project_1
 
- Finding 3: Severity: 
- Case 4: - Finding 4: Severity: High, Resource Type:Compute, Project:Project_2
 
- Finding 4: Severity: 
What's next?
- Learn more about alerts in the Google SecOps documentation.