1

After experimenting and checking the documentation on security marks, it is not clear if the assets security marks are the same security marks as the findings one.

I've added a security mark in the "Assets" tab, to only go back to the "Findings" tab and not see it there. Are they the same, but I'm experiencing a data synchronization issue? I've waited at least 2 days however. Or are they different "marks?"

ahong
  • 1,041
  • 2
  • 10
  • 22

1 Answers1

2

According to this documentation https://cloud.google.com/security-command-center/docs/how-to-security-marks , it appears Asset Security Marks are not the same as Finding Security Marks and must be created and handled separately.

This make sense since you use asset security marks to ignore an asset, while with finding security marks you only want to ignore one finding on the asset, not the asset as a whole.

Zavalagrah
  • 161
  • 8
  • A good example would be if you had a project created just for forensic investigation of compromised systems. You know that this project will be triggering CSCC Alerts, so you mark that with an Asset Mark. Now lets say you had a project that requires port 22 open to 0.0.0.0/0. This will create an Alert that can be ignored using a Finding Mark, instead of ignoring the entire asset. – Zavalagrah May 18 '20 at 17:32
  • I agree with you that they are not the same, but I don't think what you said about "ignoring policies" works with Finding Security Marks. I think only assets security marks work, based on experimenting with a couple of resources (marking in assets only, marking in findings only, marking in both). "You can set marks on assets to explicitly include or exclude those resources from specific policies. Each Security Health Analytics detector has a dedicated mark type that enables you to exclude marked resources from the detection policy, by adding a security mark allow_finding-type." – ahong May 20 '20 at 08:31
  • I've upvoted your answer, but still looking for more conclusive answer. I feel like I still need to read in between the lines from the documentation, but I would like a more explicit line from them. I've given some feedback on these docs too. – ahong May 20 '20 at 08:33