Console
    Start free

    Create your first use case

    Supported in:
    This document defines a *use case* and outlines the requirements to publish one to the Content Hub. It provides a comprehensive guide for creating a new use case, from defining the security threat and building the playbook to the final publication.

    Understand use cases

    A use case is a package of items that together provide a solution, such as:

    • Automating phishing threats
    • Reducing false positives
    • Orchestrating incident investigations

    You publish a use case to the Content Hub, and it's available for all users to use.

    A use case package consists of:

    • Test cases
    • Connectors
    • Playbooks
    • Integrations
    • Mapping and modeling rules

    Publishing requirements

    To make sure your use case is ready for the Content Hub, it must meet the following requirements:

    • Simulation alerts are based on real alerts from a real product.
    • All entities are extracted when running the simulation alert in a clean environment.
    • All entities are extracted when running the real alert with the connector.
    • The playbook runs end to end without errors.
    • The final output is a ZIP file export that can be imported without errors into the Content Hub.
    • When deployed, you can configure the integrations to make the playbook run end to end with simulation alerts.

    Create a use case

    This section outlines the steps to create your first use case.

    Define the use case

    To define the use case, follow these steps:

    1. Describe the security threat being addressed.
    2. Specify the alert type and the detection product that generates it (for example, CrowdStrike - Falcon Overwatch` via `Malicious Activity )
    3. Develop an incident response, orchestration, or automation process to handle this alert.

    Prepare use case alerts

    1. Create a custom alert or event based on a real-world scenario. Include a simulation alert to test your playbook and use case consistently. This simulation will also be included as part of the use case package.
    2. In Cases , click add Add > Simulate Cases .
    3. Click Add .
    4. Fill in the fields of the simulation alert based on the alerts you prepared for the use case:
      5. Field Description Example
      Source\SIEM Name
      		 Source of the alert (for example, Google Security Operations SIEM, detection tool). If alerts are generated by the product and pulled by Google SecOps, add the product name. Arcsight
      Rule Name
      		 Google SecOps SIEM rule or detection product alert name. If no SIEM is involved, use the name of the alert from the detection product. Data Exfiltration
      Alert Product
      		 Detection tool that generated the alert. DLP product
      Alert Name
      		 Alert name as generated by the product. Data Exfiltration
      Event Name
      		 Base event triggering the alert. Data Exfiltration
      Additional Alert Fields
      		 Extra SIEM fields or alert name If no SIEM is present. Severity, Impact, Sensitive Assets If no SIEM is involved, alert_name: .
      Additional Event Fields
      		 Raw security data for incident response. src_ip, dest_port, email_headers
    5. Create a simulation alert in Google SecOps, based on your sample alert or event.

    Extract entities

    1. Select the visualization model for the alert (the entities that Google SecOps should extract and the relations between them), and map raw data fields to the selected model.
    2. On the event, click settings Configuration . For details, see Get started with Google Security Operations SOAR , Create entities (mapping and modeling) , and Map and model alerts .
    3. Verify that all entities are created under the Case tab in Entities Highlights . To do so, click Entities Highlights > View More for each entity.

    Build a playbook

    To build a playbook, do the following:

    1. Define the incident response flow visually (chart or diagram) for the alert.
    2. Design the playbook in Google SecOps. To do so, download and configure the integrations to use in the playbook. For details, see Configure integrations .

    Configure actions in the playbook

    Set action parameters, conditions, and branches, as follows:

    1. Action Type: Select whether this action should run automatically or manually (requires human approval).
    2. Choose Instance: Select Dynamic .
    3. If Step Fails: Choose whether the playbook stops if the action fails or it skips to the next action.
    4. Entities: Select the entity types this action affects (from those extracted in your simulation alert).
    5. Other parameters: Enter the action-specific parameters based on the integration documentation.

    Configure conditions in the playbook

    To configure conditions in the playbook, follow these steps:

    1. Determine the number of branches needed. If required, click Add Branch to create additional branches.
    2. For each branch, define the conditions that trigger it. Use placeholders (square brackets) to reference conditions from event data, previous action results, and more.
      3. Use tools you can test in your flow.
    3. Test with live data: Set up a connector that can pull alerts similar to the simulation alert you created. For details, see Configure the connector .
    4. Test the connector with an example, such as an email connector using a phishing email alert. For details, see Test a connector .
    5. Verify that:
      • The same mapping applies to the real alert so that Google SecOps can extract the relevant entities.
      • The playbook runs end to end on the alert and performs the defined logic. (Test with both malicious and non-malicious alerts).

    Write a guide

    The use case you're creating will be used by other Google SecOps users. Attach content as a guide to help other users implement the use case. You can attach this guide in the Publish Use Case :

    • Explain the use case and its SOC value.
    • Provide recommendations for improvement.
    • Include instructions for running the use case with simulation and real data.
    • Add setup instructions for connectors and integrations.
    • Include any relevant licensing information.
    • Include a procedure on how to develop your first connector .

    Publish the use case

    To publish your use case, follow these steps:

    1. Go to Content Hub and click the Use Cases tab.
    2. Click format_list_bulleted List and select Create New Use Case .
    3. Enter the details and add all items you developed (test cases, playbooks, and connectors).
    4. Attach your guide in the Description field or link to a full guide.
    5. Optional: Click Export to export the use case (now or later) and click Save .
    6. Optional: After you click Save , you can export the package as a ZIP file, or Import it for testing.
    7. Submit for approval to publish.

    Need more help? Get answers from Community members and Google SecOps professionals.

    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: