google.cloud.securitycenter.v1.SecurityCenter.SetMute
GCP
google.cloud.securitycenter.v1.SecurityCenter.SetMute
Event
Mutes Security Command Center findings, suppressing security alerts from visibility.
Security Context
- Muting SCC findings removes them from the default active findings view, hiding evidence of misconfigurations, vulnerabilities, or active threats from security teams.
- Adversaries mute findings related to their activity to prevent detection and automated response workflows that trigger on SCC finding state changes.
Log Source
Cloud Audit Logs
Sample Event
Adversarial. Draco — having gained securitycenter.findings.setMute via his earlier custom role binding — mutes the active SCC finding raised against the prior gcp-google-iam-admin-v1-createserviceaccountkey event (“Persistence: IAM anomalous service-account-key creation”). Muting hides the finding from SCC’s default active-findings view, suppressing the SOC’s primary alert pipeline. The mute persists until explicitly un-muted. Note: SCC findings are organization-scoped, so this entry routes to the org-level logName — project-only Data Access queries miss it.
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "draco@fantasticlogs.cloud" }, "requestMetadata": { "callerIp": "203.0.113.66", "callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.scc.findings.set-mute invocation-id/90000000000000000000001111110001 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)", "requestAttributes": { "time": "2026-04-15T13:51:48.221987654Z", "auth": {} }, "destinationAttributes": {} }, "serviceName": "securitycenter.googleapis.com", "methodName": "google.cloud.securitycenter.v1.SecurityCenter.SetMute", "authorizationInfo": [ { "resource": "organizations/555123456789/sources/100000000000000000111/findings/PERSISTENCE-IAM-ANOMALOUS-KEY-001111110001", "permission": "securitycenter.findings.setMute", "granted": true, "resourceAttributes": {} } ], "resourceName": "organizations/555123456789/sources/100000000000000000111/findings/PERSISTENCE-IAM-ANOMALOUS-KEY-001111110001", "request": { "@type": "type.googleapis.com/google.cloud.securitycenter.v1.SetMuteRequest", "name": "organizations/555123456789/sources/100000000000000000111/findings/PERSISTENCE-IAM-ANOMALOUS-KEY-001111110001", "mute": "MUTED" }, "response": { "@type": "type.googleapis.com/google.cloud.securitycenter.v1.Finding", "name": "organizations/555123456789/sources/100000000000000000111/findings/PERSISTENCE-IAM-ANOMALOUS-KEY-001111110001", "parent": "organizations/555123456789/sources/100000000000000000111", "category": "Persistence: IAM Anomalous Grant", "state": "ACTIVE", "severity": "HIGH", "mute": "MUTED", "muteUpdateTime": "2026-04-15T13:51:48.187654321Z" } }, "insertId": "evt001111110001", "resource": { "type": "organization", "labels": { "organization_id": "555123456789" } }, "timestamp": "2026-04-15T13:51:48.123456789Z", "severity": "INFO", "logName": "organizations/555123456789/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2026-04-15T13:51:48.567890123Z"}MITRE ATT&CK Mapping
Tactics: Defense Impairment
Techniques:
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...