Onboarding Journey articles

Security Operations: Journey Overview

Thu, 31 Oct 2024 16:46:55 GMT

Google Security Operations (SecOps) is part of Google Cloud Security’s comprehensive security portfolio.

Google SecOps helps protect your organization giving the frontline defense an all-one-platform to visualize their defensive posture, detect activity in their environment, investigate events, and respond accordingly.

Google SecOps is a cloud service, built as a specialized layer on top of core Google infrastructure that enables security teams to store and analyze their security data in one place and to detect, investigate, and respond to threats.

The following Onboarding Journey will guide you through the basic and fundamental tasks needed for you to set up, navigate, gain familiarity, and conduct essential tasks within the Google SecOps Platform.

Your journey begins now.

Journey

Google SecOps Journey

Actions

In the Google SecOps Journey, you will navigate through five main tasks of implementation:

1. Administration

1.1. Initial Config

1.2. Admin Setup

2. Ingestion

2.1. Configure Data Ingest

2.2. Utilize SecOps Marketplace

3. Detect

3.1. Threat Detection

4. Investigate

4.1. Investigation

4.2. Investigate Cases & Alerts

5. Respond

5.1. Response

5.2. Dashboard & Reports

Next Step: Security Operations: Step 1 - Administration

Security Operations: Step 1 - Administration

Thu, 31 Oct 2024 16:47:16 GMT

This section of Google Security Operations onboarding will go over Administration: Initial Config and Admin Setup.

Prerequisites

Access to the Homepage and its features, requires the user to have access, and a valid authentication. Users must be provided access and authentication from the organization’s administrator(s).
Access to manage Projects inside of your company’s Google Workspace.

Next Step: Security Operations: Step 1.1 - Administration | Initial Config

Previous Step: Security Operations: Journey Overview

Security Operations: Step 1.1 - Administration | Initial Config

Fri, 01 Nov 2024 14:58:53 GMT

Google SecOps Initial Configuration will provide administrative access to the platform. This is the first requirement in product adoption, and includes integration with your chosen Identity and Access Management (IAM) software to ensure user and role consistency across your portfolio.

Prerequisites

Access to the Homepage and its features, requires the user to have access, and a valid authentication. Users must be provided access and authentication from the organization’s administrator(s).

Actions

Configure GCP for GSO

A Google Cloud project is required to use Google Workspace APIs. It is the overarching entity to group services, APIs, billing, collaborators, and managing permissions within your Google Cloud environment.

Prerequisites

Access to manage Projects inside of your company’s Google Workspace.

Your company should have the Project Creator permission at the organization level, no additional permissions should be required.

Steps

In the Google Cloud console, users will select Navigation Menu.
A popout menu will appear, users will select IAM & Admin, and select Create a Project.
In the Project Name field, enter a descriptive name for your project.
- Optional: To edit the Project ID, click Edit. The project ID can't be changed after the project is created, so choose an ID that will meet the needs for the lifetime of the project.
In the Location field, click Browse to display potential locations for the project. Then, click Select.
Once completed, users will select Create. The Google Cloud console navigates to the Dashboard page and your project is created within a few minutes.
Users’ service account will exist in a project maintained by Google SecOps. Users will see this permission grant by navigating to the IAM page of their Google Cloud project selecting the Include Google-provided Role Grants checkbox in the upper right-hand corner.
If users don't see the new service account, they can check the Include Google-provided Role Grants button is enabled on the IAM page.

Relevant Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/onboard/configure-cloud-project

Grant Access

In Google SecOps you can use the Google Cloud console and the gcloud CLI to quickly grant or revoke a single role for a single principal, without editing the resource's allow policy directly.

Prerequisites

Access to manage Projects inside of your company’s Google Workspace.

Your company should have the Project Creator permission at the organization level, no additional permissions should be required.

Steps

In the Google Cloud console, users will go to the IAM page.
Select a Project, Folder, or Organization.
Select a Principal to grant a role to:
1. To grant a role to a Principal who already has other roles on the resource, find a row containing the Principal, click Edit Principal in that row, and click Add Another Role.
2. To grant a role to a Principal who doesn't have any existing roles on the resource, click the Grant Access button, then enter the Principal's email address or other identifier.
The Select a Role dropdown menu will appear. Select a role to grant from the drop-down list. For best security practices, choose a role that includes only the permissions that your principal needs. with the following options:
1. Browser
2. Editor
3. Owner
4. Viewer
To grant a role to a Service Agent, select the Include Google-provided Role Grants checkbox to see its email address.
Optional: Add a condition to the Role.
Click Save. The Principal is granted the role on the resource.
To grant a role to a Principal for more than one project, folder, or organization, users will select Manage Resources in the IAM & Admin menu on the left side of the page.
Select all the Resources for the selections the user wants to grant permissions to.
If the info panel is not visible, click Show Info Panel. Then, click Permissions.
Select a Principal to grant a role to:
1. To grant a role to a principal who already has other roles, find a row containing the principal, click Edit Principal button in that row, and click Add Another Role.
2. To grant a role to a Principal who does not already have other roles, click Add Principal button, then enter the principal's email address or other identifier.
Select a role to grant from the drop-down list.
Click Save. The Principal is granted the selected role on each of the selected resources.

Relevant Documentation Links

[All Steps] https://cloud.google.com/iam/docs/granting-changing-revoking-access

Configure IDP Integration

Identity Platform is a CIAM system that can help you add identity and access management functionality to your Google Cloud projects. You can use Cloud Identity, Google Workspace, or a third-party identity provider to manage users, groups, and authentication.

Prerequisites

Google Cloud project set up for Google SecOps
Billing enabled for Google Cloud Project

Steps

Users will select a Project from the dropdown at the top of the Google Cloud Console.
Navigate to the Side Bar select View All Products. Users will then look for the Tools section and select the Identity Platform page (Users can pin the selection also).
Click Enable Identity Platform.
Navigate to the Identity Providers Page and click Add a Provider.
Click the Enabled toggle to on, click Save
Navigate to the Users page
Click Add user.
In the Email field, enter an Email and Password. Make a note of both of these values because you will need them in a later step.
To add the user, click Add. The new user is listed on the Users Page.

Relevant Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/onboard/configure-cloud-authentication

Configure 3rd Party IDP

If your organization uses an external Identity Provider (IdP), you will need to configure federation to allow your users, contractors, and partners to authenticate to IAM and Google Console.

Prerequisites

Administrative access to the Google Cloud Project in which you intend to enable 3rd party IdP
Understanding of Google Cloud Workforce Identify Federation
Familiarity with Google Cloud Shell

Steps

Users will navigate to Google SecOps.
Google SecOps looks up IdP information in the Google Cloud workforce identity pool.
A request is sent to the IdP.
The SAML assertion is sent to the Google Cloud workforce identity pool.
If authentication is successful, Google SecOps receives only the SAML attributes defined when you configured the workforce provider in the workforce identity pool.
User will define workforce identity pool and provider details.
Then define User Attributes and Groups in the IdP
Create a SAML Application in the IdP and configure it.
Configure workforce identity federation in Google Cloud.
Create and Configure a Workforce Identity Pool.
Create a Workforce Identity Pool.
Grant a role to enable sign into Google SecOps.
Verify or configure Google SecOps feature access control.
[Opt] Modify Workforce Identity Federation configuration.

Relevant Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/onboard/configure-authentication

Configure Access Control IAM

Google SecOps integrates with Google Cloud Identity and Access Management (IAM) to provide Google SecOps-specific permissions and predefined roles. Google SecOps administrators can control access to features by creating IAM policies.

Prerequisites

Access to manage Projects inside of your company’s Google Workspace.
Google SecOps must be bound to a Google Cloud project and configured with either Cloud Identity, Google Workspace, or Google Cloud workforce identity federation as an intermediary in the authentication flow to a third-party identity provider.

Steps

After logging on to Google SecOps, a user accesses a Google SecOps application page. Alternatively, the user may send an API Request to Google SecOps.
Google SecOps verifies the permissions granted in the IAM policies defined for that user.
IAM returns the authorization information. If the user accessed an application page, Google SecOps enables access to only those features that the user has been granted access to.
If the user sent an API Request, and does not have permission to perform the requested action, the API Response includes an error. Otherwise, a standard response is returned.
Google SecOps Permissions correspond one-to-one with Google SecOps API methods. Each Google SecOps Permission enables a specific action on a specific Google SecOps feature when using the Web Application or the API.
To assign a Role to a user follow the steps in Grant Access section.

Relevant Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/onboard/configure-feature-access

User Management

Google SecOps allows you to provision, authenticate, and map users with secure identification to the Google SecOps platform. This page illustrates the configuration process using Google Workspace as the external IdP.

Prerequisites

Access to manage Projects inside of your company’s Google Workspace.

Steps

Users need to set up the SAML Attributes and the SAML groups in the external Identity Provider (IdP).
Navigate to the SAML Attributes mapping section in the Google Workspace.
Users will add the following four mandatory attributes:
1. first_name
2. last_name
3. user_email
4. Groups
In the Google Groups section, users will write the names of the IdP Groups. As an example:
1. Chronicle Admins
2. Gcp-security-admins
Users will need to take note of the group names, as they will need them later for mapping in the Google SecOps platform.
To Control User Access, users will go into the SOAR Settings of the unified Google SecOps platform, there are several different ways to determine which users have access to which aspects of the platform.
1. Permissions groups
2. SOC roles
3. Environments
The combination of Permission Groups, SOC Roles, and Environments defines the Google SecOps user journey for each IdP Group in the Google SecOps platform.
Users will need to map each IdP Group that you defined in the SAML settings procedure in the IdP Group Mapping page. (By default, the Google SecOps platform includes an IdP Group of default admins.)
To map IdP groups, users will need to go into the Google SecOps platform, navigate to Settings > SOAR Settings > Advanced > IdP Group Mapping.
Make sure the user has the names of the IdP Groups, they will select to map.
Click the Add button and start mapping the parameters for each IdP Group.
When finished, users will click Save. When each user logs in to the platform, they are automatically added to the User Management page (which is located in Settings > Organization .
Note: Sometimes users will try to log into the Google SecOps platform but their IdP Group has not been mapped in the platform. In order for these users not to be rejected, Google recommends enabling and setting the Default Access Settings on this page. IdP users must be part of a single mapped IdP Group.

Relevant Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/soar/admin-tasks/user-secops/map-users-in-the-secops-platform

Next Step: Security Operations: Step 1.2 - Administration | Admin Setup

Previous Step: Security Operations: Step 1 - Administration

Security Operations: Step 1.2 - Administration | Admin Setup

Thu, 31 Oct 2024 16:47:56 GMT

Google SecOps has many options and support capabilities to assist your organization in creating and managing features and functionality.

Actions

Access and Support

At times, the only way to troubleshoot problems on the customer's platform is to allow Google Support to create a user to access your instance.

Steps

To begin users will select Settings in the left-side Navigation Bar and then select SOAR Settings, that will display the Settings page.
In the Settings page, users will select Advanced, that will display a drop-down list. Users will select Support Access.
On the Support Access page, that will provide access to Google Support.
Users will be able to select to Allow Access to Google Support, after selecting the mandatory fields below.
Additional mandatory fields consist of:
1. Select SOC Role
2. Select Permission Group
3. Select Environments
4. Select Time Period
Select Save.
As soon as Google Support registers a new user, they will appear below.

Relevant Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/soar/admin-tasks/permissions/allow-google-support-access

Create Lists and Templates

Your organization can create a blocklist of items. These are composed of entities that the system does not group alerts by or entities which should not be displayed in the system.

Steps

To add a new blocklist item users will navigate to SOAR Settings > Environments > Blocklist.
Click Add on the top right of the screen.
Enter Entity Identifier and select Entity Type, Action, and the Environment.
Click Add.

Relevant Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/soar/admin-tasks/configuration/create-block-list-to-exclude-entities-from-alerts

Email Notifications

Your organization can set up an email box in Google SecOps to send emails to users. When you select the Google SecOps SMTP configuration (default), the platform email service sends your emails. You have the option to select the Customer Configuration and your email service will send out the emails.

Steps

To begin users will select Settings in the left-side Navigation Bar and then select SOAR Settings, that will display the Settings page.
In the Settings page, users will select Advanced, that will display a drop-down list. Users will select Email Settings.
On the Email Settings page, users by default will see Google SecOps SMTP selected.
If users prefer to use a separate option, they will select Customer Configuration, to manually setup their email address, from which all system emails will be sent. Those selection options consist of:
1. Sender Display Name
2. Sender Email Address
3. Username
4. Password
5. SMTP - Server Address
6. SMTP - Port
7. SMTP - Use SSL
8. Require Authentication
9. Trust Certificate
10. Use Exchange OAuth
When those sections are filled in, users can test the configuration.
When complete, users will select Save.

Relevant Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/soar/admin-tasks/advanced/setting-up-your-email

Data Retention & Logs

Google Cloud services write audit logs that record administrative activities and accesses within your Google Cloud resources. Audit logs help you answer "who did what, where, and when?" within your Google Cloud resources with the same level of transparency as in on-premises environments.

Prerequisites

To view audit logs, you must have the appropriate Identity and Access Management (IAM) permissions and roles.

Steps

By default, Google retains Twelve Months of user data in the user’s Google SecOps account. This retention period can be extended as part of the Purchase Order. The retention period applies to all of the data in the user’s Google SecOps instance.
Google uses an automated system to remove historical data based on event and detection timestamps.
Enabling audit logs helps users with security, auditing, and compliance entities that monitor Google Cloud data and systems for possible Vulnerabilities or external data misuse.
Cloud Audit Logs provides the following audit logs for each Google Cloud project, folder, and organization:
1. Admin Activity Audit Logs
2. Data Access Audit Logs
3. System Event Audit Logs
4. Policy Denied Audit Logs
Audit log entries include the following objects:
- Log entry itself, which is an object of type LogEntry. Useful fields include the following:
  - logName contains the Resource ID and Audit Log Type.
  - resource contains the target of the audited operation.
  - timeStamp contains the time of the audited operation.
  - protoPayload contains the audited information.
To enable audit logging for the chronicle.googleapis.com service, see Enable Data Access audit logs.
To enable audit logging for other services, contact Google SecOps Support.
To populate UDM Search and Raw Log Search Queries in the Google SecOps Audit Logs, update the Data Access Audit Logs configuration with the necessary permissions.
In the navigation panel of the Google Cloud Console, select IAM & Admin > Audit Logs.
Select an existing Google Cloud Project, Folder, or Organization.
In Data Access Audit Logs Configuration, select Chronicle API.
In the Permission Types tab, select all the listed permissions:
1. Admin Read
2. Data Read
3. Data Write
Click Save.
Repeat steps 11 - 13 for Chronicle Service Manager API.
To find and view audit logs, use the Google Cloud project ID.
In the Google Cloud Console, use the Logs Explorer to retrieve your audit log entries for the Google Cloud project.
In the Google Cloud Console, go to the Logging > Logs Explorer page.
Note: If users are using the Legacy Logs Viewer page, switch to the Logs Explorer page.
On the Logs Explorer page, select an existing Google Cloud Project, Folder, or Organization.
In the Query Builder pane, do the following:
1. In Resource Type, select the Google Cloud resource whose audit logs you want to see.
2. In Log Name, select the audit log type that you want to see:
  - For Admin Activity audit logs, select Activity.
  - For Data Access audit logs, select Data_access.
If you don't see these options, no audit logs of that type are available in the Google Cloud Project, Folder, or Organization.

Relevant Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/administration/audit-logging
[Additional Steps] https://cloud.google.com/logging/docs/audit

Next Step: Security Operations: Step 2 - Ingestion

Previous Step: Security Operations: Step 1.1 - Administration | Initial Config

Security Operations: Step 2 - Ingestion

Thu, 31 Oct 2024 16:48:10 GMT

This section of Google Security Operations onboarding will go over Ingestion: Configure Data Ingest and Utilize SecOps Marketplace.

Prerequisites

Entitlement for Google SecOps on the account and project.
Administrative access to Google SecOps.
Administrative access for any 3rd party applications that are intended to be connected to Google SecOps

Next Step: Security Operations: Step 2.1 - Ingestion | Configure Data Ingest

Previous Step: Security Operations: Step 1.2 - Administration | Admin Setup

Security Operations: Step 2.1 - Ingestion | Configure Data Ingest

Mon, 04 Nov 2024 15:52:06 GMT

Data Ingest is the core of Google SecOps ingests raw log data, alerts, and other information. Ingested information is normalized and indexed for rapid search, then context enriched with data available from other ingested sources including threat intelligence feeds.

Configuring data ingest is the first step in preparing Google SecOps to correlate security events for your SecOps team. Google’s industry leading SecOps indexing, context enrichment, and search will enable your SecOps analysts to respond rapidly with a comprehensive view of threats and events.

Actions

Install & Configure Forwarders

Google SecOps SIEM forwarder is a software component that runs on a machine or device on your network, such as a server. Google SecOps SIEM forwarder can collect log data and network interface packets and forward that data to your Google SecOps SIEM instance.

Steps

To add a new forwarder, users will select Settings in the left-side Navigation Bar and then select SIEM Settings, that will display the Settings page.
In the Settings page, users will select Forwarders, that will display the page.
Users can conduct search for Forwarders in the Search bar.
Users also have the ability to Filter the list of Forwarders by selecting the Filter icon to the left of Create Forwarder.
Users can add a new Forwarder by selecting Add New Forwarder.
In the Forwarder Name field, can create a new Forwarder name.
To further configure, users will expand the Configuration Values section and specify any of the following:
1. Upload compression
2. Asset namespace
3. Label key
4. Label value
5. Filter description
6. Regular expression
7. Filter behavior
Optional: Toggle Server Settings to configure the forwarder's built-in HTTP server, which can be used to configure load balancing and high availability options for syslog collection on Linux.
Click Submit.

Relevant Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/install/install-forwarder

Parsers

Parsers normalize raw log data into structured Unified Data Model format. Google Security Operations provides a set of default parsers that read original raw logs and generate structured UDM records using data in the original raw log.

Steps

To add a new Parser, users will select Settings in the left-side Navigation Bar and then select SIEM Settings, that will display the Settings page.
In the Settings page, users will select Parsers, that will display the Parsers page.
Users can conduct search for Log Types in the Search bar or from the Log Source list.
Users also have the ability to Filter the list of Parsers by selecting the Filter icon to the left of Create Parser.
Users can add a new Parser by selecting Create Parser.
Users will see a Create New Custom Parser popup.
On the Create New Custom Parser popup, users will enter a new Log Source in the Select the Log Source field.
To further configure a new Custom Parser, users will write a new Code in the Parser Code Terminal for the Parser, and then select Validate by selecting the Validate button.
Users can see the UDM Output in the UDM Output Preview box, to the right of the UDM Output text box, by selecting the Preview button.
If the UDM Output is correct and final, users will select Validate to create the Parser.
The validation process may take a few minutes, so we recommend that you preview the Custom Parser first, make changes if required, and then validate the Custom Parser.
Click Submit.
The Parser is picked for normalization after 20 minutes.

Relevant Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/event-processing/manage-parser-updates

Create and Manage Feeds

Google SecOps allows to users to create, manage, and troubleshoot feeds using the feed management UI. Managing the feeds includes modifying, enabling, and deleting the feeds.each data feed to have its own set of prerequisites that must be completed prior to setting up the feed in Google SecOps.

Steps

To add a feed to your Google SecOps account, complete the following steps. Users can add up to five feeds for each log type.
From the Google SecOps menu, select Settings, SIEM Settings, and then click Feeds. The data feeds listed on this page include all the feeds that Google has configured for your account in addition to the feeds that you have configured.
Click Add New. The Add Feed window is displayed.
Add a feed name, by searching the Source type list, select the source type through which users intend to bring data into Google SecOps. Users can select from the following feed source types:
1. Amazon Data Firehose
2. Amazon S3
3. Amazon SQS
4. Google Cloud Pub/Sub
5. Google Cloud Storage
6. HTTP(S) Files (non-API)
7. Microsoft Azure Blob Storage
8. Third party API
9. Webhook
In the Log Type list, select the log type corresponding to the logs that the user wants to ingest. The logs available vary depending on which source type you selected previously.
Click Next.
Review the user’s new feed configuration from the Finalize tab. Click Submit when you are ready. Google SecOps completes a validation check of the new feed. If the feed passes the check, a name is generated for the feed, it is submitted to Google SecOps, and Google SecOps begins to attempt to fetch data.

Relevant Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/administration/feed-management

Connectors

Google SecOps SOAR uses connectors to ingest alerts from a variety of data sources into the platform. A connector is one of the items in an integration package which can be downloaded through the Google SecOps Marketplace.

Prerequisites

Users will need to download an Integration that has a Connector in Marketplace.

Steps

To add a new Connector, users will select Settings in the left-side Navigation Bar and then select SOAR Settings, that will display the Settings page.
In the Settings page, users will select Ingestion dropdown menu, and select Connectors in the dropdown menu.
A Connectors popup page will appear, that will display a Search field to select from options for Connectors.
Users can also select the Create New Connector button at the top-right of the Connectors popup page.
An Add Connector popup page will appear, where users can select a from a Connector list in a dropdown menu.
The option to select a Remote Connector can be selected by click the Remote Connector checkbox.
If no Agents are configured, users can select Install Agent in the Add Connector popup.
Users will then select Create.
A New Connector Configuration page will appear.
In this page, users will be able to configure a New Connector with three tabs, consisting of the following input pages:
1. Parameters- consisting of Mandatory and Advanced fields.
2. Testing
3. Logs
When complete, users will select Save.
If users need to add a Domain, they will navigate to the Settings > SOAR Settings > Environments > Domains.
Users will click the Add button on the top right of the Domains page.
Enter the Domain and Environment into the Add Domain popup .
When complete users will select Add.
If users need to add a Network, they will navigate to the Settings > SOAR Settings > Environments > Networks.
Users will click the Add button on the top right of the Domains page.
Enter the following information into the Add Network popup:
1. Name
2. CIDR Format
3. Priority level
4. Environment
When complete users will select Add.

Relevant Documentation Links

Next Step: Security Operations: Step 2.2 - Ingestion | Utilize SecOps Marketplace

Previous Step: Security Operations: Step 2 - Ingestion

Security Operations: Step 2.2 - Ingestion | Utilize SecOps Marketplace

Thu, 31 Oct 2024 16:48:39 GMT

The Google SecOps Marketplace offers a central hub where you can access a wealth of pre-built integrations, community-developed playbooks, and powerful analytics – all designed to streamline your Security Operations Center (SOC) workflows and supercharge your incident response.

The Marketplace empowers you to seamlessly connect Google SecOps with leading security tools, automate repetitive tasks with pre-built playbooks, and gain invaluable insights from comprehensive dashboards. This collaborative environment fosters innovation, saves valuable time, and allows your SOC team to focus on what matters most – effectively combating cyber threats.

Prerequisites

Entitlement for Google SecOps on the account and project.
Administrative access to Google SecOps.
Administrative access for any 3rd party applications that are intended to be connected to Google SecOps

Actions

Marketplace Use-Cases

The Google SecOps Marketplace acts as the customer's toolbox, holding a wide range of utilities and options to choose from. The Marketplace also contains a repository for predefined Use Cases, Power Ups that enhance Playbook capabilities, and Analytics that provide valuable insights.

Steps

To begin users will go to the left-side Navigation Bar and then select Marketplace, that will display the Google SecOps Marketplace page.
Users will also see three tabs to select from, consisting of:
1. Use Cases
2. Integrations
3. Power Ups
Users will select the Use Cases tab, which will display many pre-defined Use Cases at the bottom of the page.
In the Marketplace page, users will see a Search bar at the top-right of the page, to Search for Use Cases.
Users will have the option to Filter the category types of Use Cases they want to display at the center of the page.
These categories consist of:
1. Malware
2. Endpoint
3. Threat Hunting
4. Investigation
5. Threat Intelligence
6. Insider Threat
7. …and more
To the right of Filters is a Use Case Option menu, which will give the user a choice to:
1. Create New Use Case
2. Import Use Case
3. Export Use Case
4. Refresh
Once a user has found a Use Case to Install, they will select the Use Case, by clicking Install.
A popup window will appear, which will display the Use Case with five steps:
1. Use Case Information
2. Use Case Items
3. Install Use Case Items
4. Configure Integrations
5. Run Use Case
Typically the Use Case Information section will display a video from Google SecOps that will give users a basic overview with and step-by-step instructions on how to install and run the Use Case.
On the same page, users will see a description and three to four dropdowns that will display:
1. Playbooks
2. Integrations
3. Test Cases
4. Connectors
Users will select Next.
Users will see the Use Case Items page, that will show Install Use Case Items at the top of the page. Here users will be able to:
1. Install Integrations
2. Install Playbooks
3. Install Simulation Cases
Users will have a Search function in section and an option to Override existing Ontology.
Users will select Install to Install the Use Case items. Once the Installation is completed, it will display Installation Completed, with all of the Integrations, Playbooks, and Simulation Cases installed. Then select Next.
Users will see the Configure Integrations page, listing all of the Integrations. Each Integration will have the following fields to Configure:
1. Instance
2. Environment
3. Instance Name
4. Description
5. Parameters
6. API Key
7. Verify SSL
Users will then have the option to Test and Save each Integration.
When complete, users will select Next.
In the Run Use Case page, users will see an option to Select Alert for Simulation by selecting the checkbox next to the Use Case and select Next.
Once selected users will see a Congratulations message and the Next Steps to:
1. Simulate More Alerts
2. To Connect Your Data
3. Connect your Remote Environment
Users will select Finish.

Relevant Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/soar/marketplace/run-use-cases

Use Case Example

Here is an example of how to install and configure the Use Case “Phishing Use Case - Zero to Hero”:
Users will select the Marketplace on the left Navigation Bar.
Select Use Case tab on the Google Marketplace page.
In the pre-defined Use Cases below, select from the Community-version “Phishing Use Case - Zero to Hero” and click Install.
After watching the Guide Video in the Use Case Information section, users will see the Playbooks, Integrations, Test Cases, and Connectors associated with the Use Case, and select Next.
In the Use Case Items section, users will see the Integrations, Playbooks, and Simulations Cases that will be Installed. If there is a conflict with an existing Ontology, and the user chooses to Override, they will select the box next to Override Existing Ontology. Once complete, users will then select Install.
Once Installed, users will see that their Installation is complete, and will select Next.
Once users Configure their Integration, they can Test and Save the Configuration, then select Next.
In the Run Use Case section, users will select the Alert for Simulation, by selecting the checkbox next to the Use Case, then select Next.
In the final step, once the Use Case is deployed, users will see instructions on Next Steps and how to navigate to the Cases screen to see the simulations in action. Once done, select Finish.

Marketplace Integrations

Steps

To begin users will go to the left-side Navigation Bar and then select Marketplace, that will display the Google SecOps Marketplace page.
Users will also see three tabs to select from, consisting of:
1. Use Cases
2. Integrations
3. Power Ups
In the Marketplace page, users will see a Search bar at the top-right of the page, to Search for Integrations.
Users will select Integrations, which will display many pre-defined Integrations at the bottom of the page.
Users will have the option to Filter the category types of Integrations they want to display at the center of the page.
These categories consist of:
1. Security
2. Threat Intelligence
3. IT & Infrastructure
4. Access Management
5. IAM
6. …and more
At the top of the page are two dropdown menus:
1. Type
2. Status
In the Type menu, users can select from the following Integrations:
1. All Integrations
2. Google SecOps Integrations
3. Published by Community
4. Custom Integrations
In the Status menu, users can select Integrations that are:
1. Installed
2. Not Installed
3. Available Upgrade
Users can read the Details of each Integration by selecting the Details button.
Once a user has found an Integration to Install, they will select the Integration, by clicking Install.
Users will see a popup showing the Integration is complete.
Once an Integration is complete, users will see that the Install button has be replaced with a Configure button. User will select Configure.
A Configure Instance popup will appear, that will display the following fields:
1. Environment
2. Instance Name
3. Description
4. Parameters
5. API Key
6. Verify SSL
Users will have the option to Test the Instance, by selecting the Test button.
Once complete, users will select Save.
Note: Users can make changes at a later stage if needed. Once configured, the instances can be used in Playbooks.

Relevant Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/soar/respond/integrations-setup/configure-integrations

Marketplace Power-Ups

Steps

To begin users will go to the left-side Navigation Bar and then select Marketplace, that will display the Google SecOps Marketplace page.
Users will also see three tabs to select from, consisting of:
1. Use Cases
2. Integrations
3. Power Ups
In the Marketplace page, users will see a Search bar at the top-right of the page, to Search for Power Ups.
Users will select Power Ups, which will display many pre-defined Power Ups at the bottom of the page.
Users will have the option to filter the list of Power Ups by selecting by Status, using the following options:
1. Installed
2. Not Installed
3. Available Upgrade
Users can read the Details of each Power Up by selecting the Details button.
Once a user has found an Power Up to Install, they will select the Power Up, by clicking Install.
Users will see a popup showing the Integration is complete.
Once an Power Up is complete, users will see that the Install button has be replaced with a Configure button. User will select Configure.
A Configure Instance popup will appear, that will display the following fields:
1. Environment
2. Instance Name
3. Description
Users will have the option to Test the Instance, by selecting the Test button.
Once complete, users will select Save.

Relevant Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/soar/marketplace/using-the-marketplace

Next Step: Security Operations: Step 3 - Detect

Previous Step: Security Operations: Step 2.1 - Ingestion | Configure Data Ingest

Security Operations: Step 3 - Detect

Thu, 31 Oct 2024 16:48:58 GMT

This section of Google Security Operations onboarding will go over Detect: Threat Detection.

Next Step: Security Operations: Step 3.1 - Detect | Threat Detection

Previous Step: Security Operations: Step 2.2 - Ingestion | Utilize SecOps Marketplace

Security Operations: Step 3.1 - Detect | Threat Detection

Thu, 31 Oct 2024 16:49:10 GMT

Google SecOps Threat Detection feature allows for detection enrichment capabilities that enables security analysts and detection engineers to craft a detection on a basic pattern of event telemetry (an outbound network connection), creating numerous detections for their analysts to triage. The analysts attempt to stitch together an understanding of what happened to trigger the alert and how significant the threat is.

Actions

View Alerts and IOCs

Google SecOps features an Alerts and IOCs page, that displays all the alerts and indicators of compromise (IOC) currently impacting your enterprise. This provides multiple tools that enable you to filter and view your alerts and IOCs.

Steps

Users will navigate to the left-side Navigation Bar and then select Detection, which will display a dropdown menu.
Select Alerts & IOCs to display the Alerts & IOCs page.
Users will see two tabs:
1. Alerts
2. IOC Matches
Users will have options in the popout page, under the Alerts tab consisting of:
1. Manage Columns
2. Filter
3. Status
4. Clear All
5. Search Bar
6. Refresh Time
7. Showing (Date Range)
8. Refresh
9. Alerts List Options
Under the IOC Matches tab, users will see a Filters section consisting of:
1. Associations
2. Campaigns
3. Categories
4. GCTI Priority
5. Sources
6. Status
7. Type
At the top of the IOCs list popout, users will see Filter options consisting of:
1. Filter
2. Search Bar
3. Date Range
4. Refresh
5. Download as CSV
In the IOCs popout section, users will see a list of IOCs with multiple columns:
1. IOC
2. Type
3. Status
4. GCTI Priority
5. Categories
6. Sources
7. Assets
8. Severity
9. Associations
10. Campaigns
11. First/ Last Seen
12. VirusTotal Context

Additional Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/investigation/alerts-iocs

Create/ Monitor Events w/ Rules

Google SecOps features Rules feature, that are the backbone of ensuring data is actionable and aligned to your unique policies within Google SecOps. Rules allow your SecOps team to tailor information and alerting to the unique needs of your organization.

Steps

Users will navigate to the left-side Navigation Bar and then select Detection, which will display a dropdown menu.
Select Rules & Detections in the dropdown to display the Rules & Detections page.
The Rules & Detections page will display four tabs consisting of the following features:
1. Rules Dashboard
2. Rules Editor
3. Curtated Detections
4. Exclusions
In the Rules Dashboard, users will see the following features at the top of the page:
1. Search Rules
2. Data Freshness
3. Last Refreshed Time
Below in the Rules Dashboard users will be able to see a Rules List consisting of the Rules Search results.
The Rules Dashboard results list consists of the following columns:
1. Number of Detections Found Today
2. Rule Name
3. Detections Per Day
4. Last Detection
5. Author
6. Severity
7. Alerting
8. Retrohunt
9. Rule Type
10. Run Frequency
11. Live Status
The Rules Editor page will display the capability to:
1. Create New Rule
2. Filter
3. Reference List
When users select the New Rule button, a Rules Editor Terminal will appear in the Rules Editor page.
When a Rule is completed, user will have the option to Discard the Rule or Save New Rule.
At the bottom-right of the Rules Editor, users can run a test on their new Rule by selecting Run Test.
Users will have the capability to select from a Curated Detection list under the Curated Detections tab.
At the top of the page, users will see a display of the highlighted Rules, consisting of:
1. Enabled Rule Sets
2. Most Active Rules
3. Most Active Rule Sets
Users will also be able to see in the main section of Curated Detections:
1. Rules Sets
2. Rules Dashboard
In the Rule Sets section, users will see displayed, a list of Rule Sets, with the following columns:
1. Name
2. Last Updated
3. Enabled Rules
4. Alerting
5. Capacity
6. MITRE Tactics
7. MITRE Techniques
When a Rule Set is selected, user will see a display page of the Rule’s Settings and Sources.
In the Exclusions page, users will see a display of Exclusions, with the following columns:
1. Exclusion Name
2. Applied To
3. Activity
4. Created On
5. Last Updated
6. Status
Users can create an Exclusion by selecting Create Exclusion.
In the Create An Exclusion popup, users can filter out Detections that meet specific criteria, under the following entry fields:
1. Exclusion Name
2. Rule Set or Rule
3. UDM Field
4. Operator
5. Values
6. Add Conditional Statement
Users will have an option to test the Exclusion Rule by selecting Run Test.
To add the Exclusion Rule, users will select Add Rule Exclusion.

Additional Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/detection/view-all-rules

Risk Analytics

Google SecOps Risk Analytics dashboard lets you view your environment through a risk-based lens. Visualizing entity risk trends helps you identify unusual behavior and understand the potential risk that entities pose to your enterprise.

The Risk Analytics dashboard lists at-risk entities and risk factor details.

Steps

Users will navigate to the left-side Navigation Bar and then select Detection, which will display a dropdown menu.
Select Risk Analytics in the dropdown to display the Risk Analytics page.
The Risk Analytics page will display two tabs consisting of the following features:
1. Behavior Analytics
2. Watchlists
In the Behavior Analytics page, users will see the following sections:
1. Summary Metrics
2. Entities
The Summary Metrics section will display the Total Count of Entities and Risk Score Distribution metrics.
At the bottom of the Behavioral Analytics page, users will see the Entities section consisting of the following columns:
1. Entity Name
2. Entity Type
3. Normalized
4. Normalized Change
5. Normalized Trend
6. Base
7. Base Change
8. Base Trend
9. Findings Count
10. First Seen in Window
11. Last Seen in Window
Users will select a Risk Analytic Entity and see the Findings Timeline consisting of the Findings and the Entity Details.

Additional Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/detection/risk-analytics-overview

List Manager

Google SecOps List Manager is a tool that allows users to manage reference lists and add custom lists. Users can add scopes to reference lists, open reference lists associated with rule sets, and add items to them.

Steps

Users will navigate to the left-side Navigation Bar and then select Detection, which will display a dropdown menu.
Select List in the dropdown to display the List Manager page.
The List Manager page will display a popout of the Lists available to the user, along with the List Details and who the List is Referenced By.
Users will be able to Create a List by selecting Create in the List Manger.
The List Manager will show a List Manager Details Terminal consisting of the following:
1. Syntax Type
2. Title
3. Description
4. Terminal
When complete users will select Save Edits.

Additional Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/detection/risk-analytics-overview

Next Step: Security Operations: Step 4 - Investigate

Previous Step: Security Operations: Step 3 - Detect

Security Operations: Step 4 - Investigate

Thu, 31 Oct 2024 16:49:33 GMT

This section of Google Security Operations onboarding will go over Investigate: Investigation and Investigate Cases & Alerts.

Next Step: Security Operations: Step 4.1 - Investigate | Investigation

Previous Step: Security Operations: Step 3.1 - Detect | Threat Detection

Security Operations: Step 4.1 - Investigate | Investigation

Thu, 31 Oct 2024 16:49:50 GMT

Google SecOps lets you investigate many different aspects of the information stored in your Google SecOps account. SecOps Investigation lets you to examine the aggregated security information for your enterprise going back for months or longer. Use Google SecOps to search across all of the domains accessed within your enterprise.

Actions

SIEM Search

The SIEM Search function lets you find events and alerts within your Google SecOps instance. SIEM Search includes a variety of search options that help you to navigate through your data. You can search for individual events and groups of events tied to shared search terms.

Steps

Users will navigate to the left-side Navigation Bar and then select Investigation, which will display a dropdown menu.
Select SIEM Search to display the SIEM Search page.
On the SIEM Search page, users will be able to see a Search Query bar at the top of the page. Users can enter questions in natural language form.
1. Example: “Find Externally Shared Documents with Confidential in the Title.”
Once a Query is entered, users will select Generate Query.
The Query will appear in the Terminal box below Search Query, showing Field and Operator.
At the main part of the page, users will see the following options:
1. Your Search History
2. Your Saved Searches
3. Searches Shared With You
Users will have the following options:
1. Search History (Open Search Manager)
2. UDM Lookup
3. Lists
4. Feedback on Generated Query
5. Rewrite Query
6. Case Sensitivity
7. Date/ Time Range
8. Run Search
Once a Query has been generated, users will see three tabs in the main section of the page:
1. Overview
2. Events
3. Alerts
If there are results, a number value will appear next to each section tab.
Overview tab results will show entity Overview data.
Events tab results will show the following details:
1. Trend Over Time
2. Prevalence
3. Filter Options
4. Aggregations
  - Grouped Fields
  - UDM Fields
5. Events
  - Timestamp
  - Event
  - User
  - Hostname
  - Process Name
6. Search Events
To Search for Events, users will enter a query into the Search Events field and select Apply To Search and Run button.
If an event is selected, users will see an Event Viewer to the right of the Event, consisting of:
1. Entities
2. UDM Fields
3. Raw Log w/ option to Manage Parser.
Under the Events Results section, users can download the Queried Events by selecting the Download as CSV button.

Relevant Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/investigation/udm-search

SOAR Search

The SOAR Search page lets you find specific cases or entities indexed by Google SecOps SOAR. Google SecOps SOAR stores all case and entity information from cases, giving you the ability to retrieve information that may be relevant for what you are investigating.

Steps

Users will navigate to the left-side Navigation Bar and then select Investigation, which will display a dropdown menu.
Select SOAR Search to display the SOAR Search page.
On the SOAR Search page, users will be able to see a Search Query bar at the top of the page.
To the left of the Search Query bar are two dropdown menus to filter between Cases and Entities, and a Date Range filter.
On the left-side of the SOAR Search page, is a series of Filter options, each with a dropdown menu.
The Cases Filter options consist of:
1. Status
2. Environments
3. Tags
4. Users
5. Category Outcomes
6. Ports
7. Products
8. Case Source
9. Case Stages
10. Alert Types
11. Priorities
12. Importance
13. Is Incident
The Entities Filter options consist of:
1. Networks (Top 20)
2. Environments (Top 20)
3. Type
4. Is Suspicious
5. Is Internal Asset
6. Is Enriched
Results for both will appear in the main section of both pages.

Relevant Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/secops/google-secops-soar-toc

Next Step: Security Operations: Step 4.2 - Investigate | Investigate Cases & Alerts

Previous Step: Security Operations: Step 4 - Investigate

Security Operations: Step 4.2 - Investigate | Investigate Cases & Alerts

Thu, 31 Oct 2024 16:50:04 GMT

Google SecOps ingests alerts from a variety of sources. Each alert is ingested with its underlying base security events. Those security events are analyzed, and their indicators, such as sources, destinations, and artifacts, are extracted into objects called entities. Each entity stored in the platform starts collecting data on it, including comments, enrichment data, and reports, allowing analysts yo review this history when handling future cases involving that entity.

Actions

Working Cases

Google SecOps Cases provides the analysts a way to investigate the incoming security alerts and safeguard workstations. Analysts can create manual cases and simulated cases and ingest specific data.

Steps

Users will navigate to the left-side Navigation Bar and then select Cases.
On the top-left of the Cases page, users will see several options to navigate through Cases:
1. Cases View Selection
2. Refresh Cases
3. Switch to Default Mode
4. Select Multiple Cases
5. Add Cases
6. Sort By
7. Cases Filter
8. Search Case Name
When users select the Cases Filter, users will see a Case Queue Filter popup, which will display the following sections/ fields:
1. Parameters
2. Logical Operator
3. Add Criteria
4. Save Filter
When a Case is shown as a result, it will appear in the left-side bar.
When a Case is selected, a popout page will appear.
Cases will have an assigned:
1. Case ID Number
2. Environment
3. Tier designation
4. Date/ Time Range
At the top of the Case page, users will also see the following options:
1. Triage
2. Chat
3. Close Case
4. Case Actions
5. Close Case
6. Manage Tags
Each Case will have three views:
1. Overview
2. Case Wall
3. Case Details
To the right of each View are the following options:
1. Manual Action
2. Case Tasks
3. Alert Options (only in Case Details view)
In the Case Overview, users will see a Gemini Summary of the of the Case, consisting of:
1. Suggestion
2. What Actually Happened
3. The Next Steps You Should Take
There are additional sections below consisting of:
1. Case Description
2. Pending Actions
3. Alerts
4. Entities Graph
5. Entities Highlights
6. Latest Case Wall Activity
7. Recommendations
8. Statistics
9. Comment Section
  - Option to Attach File
The Case Wall view will allow users to view the Case Details:
1. Actions
2. Status Changes
3. Tasks
4. Comments
5. Insights
6. Pinned Chat Messages
7. Favorites
  - Each Case Detail can be marked as a Favorite.
There are Filter options in Case Wall view:
1. Alert Type
2. User
3. Sort By Date/ Time
The Case Details view has four tab options:
1. Overview
2. Events
3. Playbooks
4. Graph
The Overview tab in Case Details will display information consisting of:
1. Alert Details
2. Pending Actions
3. Entities Highlights
4. Events
5. Comment Section
  - Option to Attach File
6. Events
The Events tab will display a list of Events, consisting of:
1. Name
2. Type
3. Source
4. Port
5. Outcome
6. Time
7. Option to Configure Event
Under the Events tab, users can also Search for details. These details have sections below that include:
1. Highlighted Fields
2. Default
3. System
4. Threat
5. Event
6. Time.
Under the Playbooks tab, users will see the following options:
1. Refresh
2. Jump to Case Wall
3. Add Playbook
If the user selects a Playbook, select Add Playbook, and a Add a Playbook popup will appear.
Users will be able to select a specific Playbook, and select Add.
All selected Playbooks will show in the side-bar under Playbooks.

Relevant Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/soar/investigate/working-with-cases/cases-overview

Your Workdesk

Google SecOps Workdesk is the first step in taking care of your SOC daily routine. Your Workdesk allows you to manage your cases, collaborate with your team members, and quickly respond to manual actions in the Playbooks.

Steps

Users will navigate to the left-side Navigation Bar and then select Your Workdesk.
On the top-left of the Your Workdesk page, users will see several options:
1. My Cases
2. Pending Actions
3. My Tasks
4. Requests
5. Workspace
6. Announcements
Users view Cases in the My Cases tab, through four sections:
1. Assigned to Me
2. Assigned to My Role
3. Mention of Me
4. Mention of My Role
At the bottom of the My Cases page, users can Refresh the list, by selecting Refresh.
Users view Pending Actions in the Pending Actions tab, with five Pending Action ratings:
1. Critical
2. High
3. Medium
4. Low
5. Informative
The Pending Actions page also has a Search Function.
At the bottom of the Pending Actions page, users can Refresh the list, by selecting Refresh.
Users can view/ create their Tasks in the My Tasks tab, with four sections:
1. Status
2. Assigned to Me
3. Assigned to My Role
4. Created by Me
The My Tasks page also has a Search Function.
At the bottom of the My Tasks page, users can Create a New Task by selecting Create a New Task button.
In the Create Task popout page, users can fill in the following information:
1. Title
2. Task Content
3. Assign To
4. Due Date
When users have filled out the Create Task information, select Save.
Users can view/ create Requests in the Requests tab, with an option view Open and Closed Requests.
The Requests page also has a Search.
To Create a New Request, users can select the Add Request button, to the right of the Search field, or by selecting Create a New Request button at the bottom of the page.
When users have filled out the New Request information, select Save.
The new Request will display on the page after a few minutes.
Users will click the Case ID to see the Case in the Cases page with full details.
After the Request is put in, the user’s approving manager will review the the Case and approve or deny the Request.
Under the Workspace tab, is Workspace page, users can view/ create the following four sections:
1. Links
2. Files
3. My Contacts
4. Notes
The Create Link section consists of:
1. URL Address
2. Link Description
When complete, users will select Save.
The Create File section consists of:
1. File Address
2. File Description
When complete, users will select Save.
The Create Contact section consists of:
1. Contact Name
2. Phone Number
3. Contact Email
4. Contact Description
When complete, users will select Save.
The Create Note section consists of:
1. Note Title
2. Note Content
When complete, users will select Save.
Notes can be searched for through the Search field.
The Notes section also has a Default Note template, that can be Deleted or Edited.
Users can view/ create their Announcements in the Announcements tab.
The Announcements page also has a Search Function.
To Create a New Announcement, users can select the Add Announcement button, to the right of the Search field, or by selecting Create a New Announcement button at the bottom of the page.

Relevant Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/soar/overview-and-introduction/your-workdesk/workdesk

Next Step: Security Operations: Step 5 - Respond

Previous Step: Security Operations: Step 4.1 - Investigate | Investigation

Security Operations: Step 5 - Respond

Thu, 31 Oct 2024 16:50:18 GMT

This section of Google Security Operations onboarding will go over Respond: Response and Dashboard and Report.

Next Step: Security Operations: Step 5.1 - Respond | Response

Previous Step: Security Operations: Step 4.2 - Investigate | Investigate Cases & Alerts

Security Operations: Step 5.1 - Respond | Response

Thu, 31 Oct 2024 16:50:31 GMT

Actions

Work w/Playbooks

Google SecOps Response function provides the analysts a way to respond to cyber threats in minutes, not days. Enable modern, fast, and effective response by combining low-code automation with powerful collaboration.

A playbook is built on triggers, actions, and flows. Once it is triggered, the playbook moves along the actions to a final resolution.

Steps

Users will navigate to the left-side Navigation Bar and then select Response dropdown menu, then select Playbooks.
At the top-left of the page, users can select from a dropdown menu, that allows users to choose:
1. Show All
2. Playbooks
3. Blocks
Next users can select Menu. Before clicking on the menu icon to perform bulk actions, make sure to click the edit icon and select the required Playbooks or Blocks. Clicking on the Menu opens up the following actions:
1. New Folder
2. Duplicate
3. Change Priority
4. Export
5. Import
6. Move To
7. Delete
New Folder allows users to add new Playbook Folders.
Duplicate allows users to create a Duplicate Playbook with the following options:
1. Keep or change Priority
2. Keep in same Folder or move to a different Folder
3. Choose Environments it belongs to. Options include single or multiple Environments or All Environments, where all means all defined Environments as well as Environments that will be defined in the future.
Change Priority allows users to change Priority level.
Export and Import is useful for sending both Playbooks and Playbook Blocks from staging to production server and the other way around. The Playbooks will be Exported or Imported with their customized views attached. The system only recognizes zip files for Import.
Move To allows users to move Playbooks and Blocks to another Folder or even create a new Folder from this option.
Delete allows users to Delete Playbooks and Blocks.
To the right of Menu, are additional options:
1. Filter
2. Edit
3. Add New Playbook or Block
Filter allows users to:
1. Turn on Playbook Simulator
2. Show Active Playbooks
3. Set Priority
4. Choose Environments
Edit allows users to select single or multiple Playbooks and Blocks to Edit the Playbook or Block names.
Add New Playbook or Block allows users to:
1. Select the type of Playbook or Block
2. Choose Folder
3. Choose Environment
Also in the top-left, below the Menu and Playbook options, is a Search function, that allows users to Search for Playbooks or Blocks.
At the top of main section of the Playbooks page, users will see the top bar of the Playbook Designer.
At the top segment of the Playbook Designer pane, users can use the horizontal toggling button to enable or disable the Playbook. In that pane, users can access:
1. Playbook or Block details
2. Description
3. Toggle Activating Playbook Simulator
4. Playbook Priority
5. Version Control
6. Configure Who Can See or Edit Playbook
7. Playbook
In the Playbook Simulator, users will have the following features:
1. Open Step Selection, with available options:
  - Triggers
  - Actions
  - Flow
  - Blocks
2. Fit to Screen
3. Revert to Default Arrangement
4. Zoom In (Steps)
5. Download as PNG File
6. Undo Changes
7. Redo Changes
8. Playbook Monitoring (Statistics)
9. Playbook Navigator (All Actions and Flows)
10. Edit w/ Gemini (AI)

Relevant Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/soar/respond/working-with-playbooks/whats-on-the-playbooks-screen

Integrations Setup

Google SecOps provides the analysts a way to respond to cyber threats in minutes, not days. Enable modern, fast, and effective response by combining low-code automation with powerful collaboration.

Integrations are packages that can be installed from the Google SecOps Marketplace. When you install an integration, you are adding connectors, playbook actions and scheduled jobs. These are all able to connect Google SecOps with third-party products in order to perform tasks.

Steps

Integrations are configured under Integrations Setup. Users will navigate to the left-side Navigation Bar and then select Response dropdown menu, then select Integrations Setup.
At the top-left of the page, users will see side panel with two predefined options: Default Environments and Shared Instances, that contains the user’s Integrations.
In the side panel, users will have the options:
1. Hide Empty Environments
2. Filter Environments
  - Environments
  - Integrations
  - Configured
  - Remote Integrations
3. Search Bar
4. List of Environments and Instances
In the main page of each Environments option, users will be able to see their Integrations, to include the following options:
1. Search Field
2. Create a New Instance
3. Read More (about the Integration)
4. Configured/ Not Configured
5. Configure Instance
6. Delete Instance
If a user needs to Configure an Instance, click the Configure Instance button. In both current or new Instances, users can configure the following sections:
1. Instance Name
2. Description
3. Parameters
  - The Parameters has several options available depending on the Instance.
4. Test
5. Save

Relevant Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/soar/respond/integrations-setup/configure-integrations

Using IDE

Google SecOps provides the analysts a way to respond to cyber threats in minutes, not days. Enable modern, fast, and effective response by combining low-code automation with powerful collaboration.

Integrated Development Environment (IDE) production mode. The IDE is a framework for viewing, editing, and testing code. It allows you to view the code of commercial integrations and to create custom integrations from scratch or by duplicating commercial integrations code. In addition – this is the place to manage, import and export custom integrations.

Steps

Integrations are configured under Integrations Setup. Users will navigate to the left-side Navigation Bar and then select Response dropdown menu, then select IDE.
At the top-left of the page, users will see side panel, where they select the following options:
1. Toggle for Staging and Production mode
2. Import/ Export
3. Create New Item
4. Integration Types
5. Search Bar
Users who want to choose an item, will select between Integrations or Types, which includes a pre-defined list of:
1. Integrations
2. Connectors
3. Actions
4. Jobs
5. Managers
To create a Connector, users will click Create New Item and select Connector. Enter a Connector Name and the required Integration, then click Create.
To create an Action, users will click Create New Item and select Action. Enter an Action Name, the required Integration, and Action Type, then click Create.
To create a Job, users will click Create New Item and select Job. Enter a Job Name and the required Integration, then click Create.
To create an Integration, users will click Create New Item and select Integration. Enter an Integration Name and then click Create.
To create a Manager, users will click Create New Item and select Manager. Enter a Manager Name and the required Integration, then click Create.
Each Integration Type, custom or commercial, can be edited in the Integrated Development Environment. Users can select an Integration, in the IDE Sidebar, then the Integration will appear in IDE page.
Users will be able to:
1. Disable/ Enable
2. See Integration Name
3. See Integration Description
4. Use the IDE Editor
5. Play Item
6. Manage JSON Sample
7. Duplicate/ Delete Item
Additionally, to the right of the IDE Editor, users will be able to observe:
1. Integration Details
2. Dynamic List
3. Testing Parameters & Results
4. Debug Output
Once an Integration has been tested, reviewed and completed, users will select Save.
Users will be able to Enable the Integration, and move the Integration from Production to Staging, via the Staging/ Production Toggle at the top of the IDE Sidebar.

Relevant Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/soar/respond/ide/using-the-ide

Jobs Scheduler

Google SecOps provides the analysts a way to respond to cyber threats in minutes, not days. Enable modern, fast, and effective response by combining low-code automation with powerful collaboration.

The Jobs Scheduler page contains default Google SecOps jobs, as well as jobs that are created in the IDE and are essentially scripts that can be scheduled to run periodically. Jobs can access data in all environments.

Steps

Jobs are configured under Jobs Scheduler. Users will navigate to the left-side Navigation Bar and then select Response dropdown menu, then select Jobs Scheduler.
At the top-left of the page, users will see side panel with the following options:
1. Refresh
2. Show All/ Hide Inactive
3. Create New Job
4. Search Field
5. Expand/ Collapse List
6. Jobs List
When a user wants to display current Jobs, whether Active/ Inactive, click on a Job and the selected Job page will appear.
The Job page will consist of the following information:
1. Job Activation Toggle
2. Job Name
3. Job Creation Date/ Time
4. Job Description
5. Job Menu
  - Download Job
  - Delete Job
6. Save Job
7. Job Details
8. Job Parameters
9. Job History
10. Run Now (Run Job)
To create a New Job, users will go into the Jobs Sidebar, and select Create New Job. This will display the Add Job popup.
In the Add Job popup, users can select a Job they created in the IDE and click Save.

Relevant Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/soar/working-with-remote-agents/set-up-integrations-and-connectors?hl=en

Next Step: Security Operations: Step 5.2 - Respond | Dashboard and Report

Previous Step: Security Operations: Step 5: Respond

Security Operations: Step 5.2 - Respond | Dashboard and Report

Thu, 31 Oct 2024 16:50:51 GMT

Google SecOps provides you the type visualization required to maintain awareness of security events, the SOC environment, and case information, in one product. Being able to communicate with your team and peers in security, in an instance, enables your team to effectively manage threats. Visualization can be a game changer. With Google SecOps’ Dashboards and Reports, users can visualize their Security Environment with ease.

Actions

SIEM Dashboards

Google SecOps’ Dashboard page in the platform enables analysts to manage dashboards, giving them an overview of the specified data in various views in the form of widgets. A dashboard holds a maximum of 12 widgets, which can display data in various forms such as pie charts, horizontal or vertical bars, tables, ROI charts, etc., for any specified SOC environment or case occurrence time.

Steps

Users will navigate to the left-side Navigation Bar and then select from the Dashboards and Reports dropdown menu.
Users will then select SIEM Dashboards from the dropdown menu, which will display the SIEM Dashboards available.
The SIEM Dashboard page sidebar will display the following options:
1. Default Dashboards
2. Personal Dashboards
3. Shared Dashboards
If there are no Dashboards available, or the user would like to add a Dashboard, select the Add button, next to Personal Dashboards or Shared Dashboards.
In the Add Dashboard dropdown menu, users can select to:
1. Create New
2. Import Dashboard
At the top-right of the SIEM Dashboards page, users can select to:
1. Reload the page
2. Hide Filters
3. Use Dashboards Actions
In the Dashboard Actions selection, users can choose to:
1. Clear Cache and Refresh
2. Download
3. Schedule Delivery
4. Reset Filters
In the Default Dashboards, users will see the pre-defined Dashboards consisting of:
1. Context Aware Detections- Risk
2. Data Ingestion and Health
3. IOC Matches
4. Main
5. Rule Detections
6. User Sign In Overview
If a user selects to add a New Dashboard, users will see a New Dashboard page. In the middle of the page, users will see words “This Dashboard is Empty.” Users will select the Edit Dashboard button, below the text.
Users will name the New Dashboard, and select the Add button. After selecting the Add button , users will see a dropdown menu that will display the following options for the Widgets that will be added to the Dashboard:
1. Visualization
2. Text
3. Markdown
4. Button
Users will be able to explore different Visualizations:
1. Entity Graphs
2. IOC Matches
3. Ingestion Metrics
4. Rule Detections
5. Rulesets with Detections
6. UDM Events
7. UDM Events Aggregates
Users will be able to add a Text Widget, in the Edit Dashboard.
Markdown Tiles are options for formatting the user’s Text or adding Links and Images that can make your Dashboards pop. Users can select a Markdown Tile, in the Edit Dashboard.
Users will be able to Add a Button, with both Content and Design options:
1. Content
  - Label
  - Link
  - Description
2. Design
  - Button Style
  - Color
  - Button Size
  - Alignment
When all fields and options are complete, users will select Save.

Relevant Documentation Links

[All Steps] https://cloud.google.com/looker/docs/creating-user-defined-dashboards

SOAR Dashboards

Steps

Users will navigate to the left-side Navigation Bar and then select from the Dashboards and Reports dropdown menu.
Users will then select SOAR Dashboards from the dropdown menu, which will display the SOAR Dashboards available.
The SOAR Dashboard page will display the selected Dashboard, which can be selected from the Dashboard Selection menu at the top-left of the page. Below the Dashboard Selection menu, users can see the Owner of the Dashboard.
On the top-right of the Dashboard, users will see:
1. Filter Option
  - Time Range
  - Environment
2. Menu
  - Share Dashboard with Others
  - Export
  - Save as a Report Template
  - Delete Dashboard
3. Refresh
4. Import
5. Add Widget
To add a New Widget, users will select the Add Widget button, or the empty Widget with a plus sign, and Widget Settings popup will appear.
In the Widget Settings popup, will allow users to:
1. Select Data Display (Graph, Entity, Chart)
2. Corresponding Fields
  - Number Of
  - Calculate Field
  - Group By
  - Number of Results
  - Order By
3. Title
4. Widget Width
5. Filters
6. Preview
When complete, users will select Create.

Relevant Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/soar/monitor-and-report/soar-dashboards/add-dashboard-widgets

SOAR Reports

Google SecOps Reports come in useful to justify Return on Investment (ROI) to upper management and to achieve transparency and accountability to customers and fellow colleagues.

Google SecOps provides analysts with five predefined Reports and the option to create new ones. You can export and import Reports to other platforms.

Steps

Users will navigate to the left-side Navigation Bar and then select from the Dashboards and Reports dropdown menu.
Users will then select SOAR Reports and SOAR Reports page will appear.
Users will see five pre-defined reports templates available:
1. General
2. Management
3. ROI
4. SLA
5. Tier 1
Users can select the following options at the top of the Reports page:
1. Search field
2. Menu
3. Refresh
4. Import
5. Add New Template
Users will see a list of available reports, under the following columns:
1. Category
2. Name of Template
3. Created By
4. Creation Time
5. Scheduler
6. Generate Report
When a Report is selected, users will see an Editor and Scheduler section to the right of the Report List.
When a user selects a Report, the Widgets that the user wants in the Report can be edited by selecting the Edit Widget button , which will appear when the user’s mouse hovers over the Widget they choose to Edit.
Additionally, users can delete Widgets by selecting the Delete button, next to the Edit Widget button.
To Schedule a Report, users will select the Scheduler section and click on the Add New Schedule button.
In the the Scheduler section, users can select the following fields:
1. Enable
2. Environment
3. Time Frame
4. File Type
5. Mail to
6. Message
7. Repeat Schedule
8. Set Time
When complete with the Scheduler, user’s will select Save.
To Generate a Report, users will select from a listed Report, and click Generate, which will display a Generate Report popup.
In the Generate Report popup, users will select the following options:
1. Environments
2. Time Frame
3. File Type
When complete, users will select Download. The Report will appear in the user’s download folder, available to disseminate.

Relevant Documentation Links

[All Steps] https://cloud.google.com/chronicle/docs/soar/monitor-and-report/soar-reports/understanding-reports

Next Step: Security Operations: You have completed your Google SecOps Journey!

Previous Step: Security Operations: Step 5.1 - Respond | Response

Security Operations: You have completed your Google SecOps Journey!

Thu, 31 Oct 2024 16:51:04 GMT

You have completed your Google SecOps Journey!

If you are a Google SecOps Enterprise+ customers, you can continue your journey to Google Threat Intelligence Onboarding Journey by clicking here.

For those who seek to learn more, feel free to search and discover more about the platform in our Google SecOps Documentation Hub located here.

Previous Step: Security Operations: Step 5.2 - Respond | Dashboard and Report

Security Operations SIEM - Journey Overview

Fri, 11 Oct 2024 19:54:52 GMT

Chronicle SIEM is the foundation of your SecOps platform. SIEM will aggregate incoming data in the form of logs, alerts, and raw data, enrich it with additional context, normalize it, and then index it for rapid search.

This provides the platform for security event correlation which can then be enhanced through various Google threat-intelligence feeds, security tools, and SecOps SOAR which provides simple orchestration and automation for security response in the form of customizable playbooks.

The first step in adopting your Google SecOps platform is this onboarding journey.

Journey

Actions

In the SecOps SIEM Journey you will navigate through four main tasks of implementation:

Next Steps: Security Operations SIEM: Step 1 - OnBoarding

Security Operations SIEM: Step 1 - OnBoarding

Fri, 11 Oct 2024 19:54:48 GMT

Below you'll find a table of contents for the Onboarding journey.

SecOps Onboarding will provide administrative access to the platform. This is the first requirement in product adoption, and includes integration with your chosen Identity and Access Management (IAM) software to ensure user and role consistency across your portfolio.

Prerequisites

Entitlement for SecOps SIEM on the account and project

Actions

GCS Project Setup

Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

Access to manage Projects inside of your company's Google Workspace. (Presumably the user wouldn't see this step without access to begin with)

Steps

In the Google Cloud console, go to Menu > IAM & Admin > Create a Project.
In the Project Name field, enter a descriptive name for your project.
1. To edit the Project ID, click Edit. The project ID can't be changed after the project is created, so choose an ID that meets your needs for the lifetime of the project.
In the Location field, click Browse to display potential locations for your project. Then, click Select.
Click Create. The Google Cloud console navigates to the Dashboard page and your project is created within a few minutes.

Relevant Links

All Steps: https://developers.google.com/workspace/guides/create-projectFIXME: Image

Configure IDP Integration

Identity Platform is a CIAM system that can help you add identity and access management functionality to your Google Cloud projects. Identity Platform is a Google Cloud native IdP.

Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

Google Cloud project set up for Chronicle
Billing Enabled for Google Cloud Project

Steps

Select your project from the dropdown at the top of the console.
Navigate to the Identity Platform page. | Docs
Click Enable Identity Platform.
Navigate to the Identity Providers Page > Click Add Provider.
In the Select a provider list, select Email/Password.
Click the Enabled toggle to on, click Save.
Navigate to the Users page. | Docs
Click Add User.
In the Email field, enter an email and password. Make a note of both of these values because you will need them in a later step.
To add the user, click Add. The new user is listed on the Users page.

Relevant Links

Configure External IDP

If your organization uses an external identity provider (IdP), you will need to configure federation to allow your users, contractors, and partners to authenticate to IAM and Google Console.

Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

Administrative access to the Google Cloud Project in which you intend to enable 3rd party IdP.
Understanding of Google Cloud Workforce Identity Federation.
Familiarity with Google Cloud Shell.

Steps

Define workforce identity pool and provider details. | Docs
Define User Attributes and Groups in the IdP. | Docs
Create a SAML Application in the IdP and configure it. | Docs
Configure workforce identity federation in the Google Cloud. | Docs
Create and Configure a workforce identity pool. | Docs
Create a workforce identity provider. | Docs
Grant roles for SecOps access | Docs
Verify or Configure SecOps feature access control. | Docs
Modify workforce identity federation configuration. | Docs

Relevant Links

Provision SecOps Instance

In this step we'll provision your SecOps instance using all the pre-work from the previous steps. In order to utilize SecOps, you'll need to have an instance provisioned inside of your Google Cloud Project.

Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

Create Google Cloud Project and Enable Chronicle API
Configure SSO Provider for Chronicle instance
Confirm User has required permissions

Steps

Provide your Customer (CE) with the Project ID you plan to bind to the SecOps Instance. Wait for confirmation email.
Select your Google Cloud Project, then navigate to Security > Chronicle SecOps.
If you have not enabled the Chronicle API, you will see a Getting Started button, click it.
Fill out the Company Information section, click Next.
Review the service account information and then click Next.
Select the workforce provider created in the previous step of the Chronicle Journey, click Next.
Expand the Terms of Service. if you agree to the terms, click Start Setup.
1. Note: It could take up to 15 minutes for the Chronicle instance to be provisioned. You will receive a notification once provisioned successfully.

Relevant Links

All Steps: https://cloud.google.com/chronicle/docs/onboard/link-chronicle-cloud#configure_a_new_instance

Next Steps: Security Operations SIEM: Step 2 - Data Ingest

Previous Step: Security Operations SIEM - Journey Overview

Security Operations SIEM: Step 2 - Data Ingest

Fri, 11 Oct 2024 19:54:45 GMT

Below you'll find a table of contents for the Configure Data Ingest journey.

Data Ingest is the core of Google SecOps. SecOps ingests raw log data, alerts, and other information. Ingested information is normalized and indexed for rapid search, then context enriched with data available from other ingested sources including threat intelligence feeds. Configuring data ingest is the first step in preparing SecOps to correlate security events for your SecOps team. Google's industry leading SecOps indexing, context enrichment, and search will enable your SecOps analysts to respond rapidly with a comprehensive view of threats and events.

Prerequisites

Entitlement for SecOps SIEM on the account and project.

Actions

Install & Configure Forwarders

Forwarders and collectors are two primary components of SecOps data ingest model. These allow for the collection and normalization of data from various sources.

Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

New or existing SecOps SIEM deployment

Steps

Add a new forwarder | Docs
1. In Chronicle UI, Application Menu > Settings > Forwarders
2. Add New Forwarder
3. Configure Forwarder appropriately, following linked documentation.
Add a new Collector, selecting the forwarder from the previous step | Docs
1. The Add Collector window should appear
2. Note: You can add one or more collectors to an existing forwarder
3. Select log type, namespaces, labels, and any other details relevant to your environment

Relevant Links

Data Enrichment w/ External Data Feeds

External data feeds allow SecOps to ingest relevant security information from various sources and utilize it as additional context.

Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

New or existing SecOps SIEM deployment
Feed-specific prerequisites

Steps

Click Settings > Feeds.
Click Add New.
Choose your Source Type and Log Type, click Next.
Fill out the Input Parameters tab, the content required in the tab will vary depending on the Source Type you've chosen in the previous step.
Validate everything in the Finalize section, then click Submit.

Relevant Links

All Steps: https://cloud.google.com/chronicle/docs/administration/feed-management#creating_and_editing_feeds

Configure GCP Log Ingest

Your Google Cloud Project will be generating log data in many different formats, ingesting them into Chronicle will help you provide more contextual data for your Google Cloud Project while making them available to SecOps search.

Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

New or existing SecOps SIEM deployment

Steps

Contact your Customer Engineer (CE) to obtain the one-time access code you need to ingest your Google Cloud data.
Grant the following IAM roles required for you to access the Chronicle section.
1. Chronicle Service Admin (roles/chroniclesm.admin)
2. Chronicle Service Viewer (roles/chroniclesm.viewer)
3. Security Center Admin Editor (roles/securitycenter.adminEditor)
If you plan to enable Cloud Asset Metadata, you must also enable either the Security Command Center Standard tier or Security Command Center Premium tier on Google Cloud.

Relevant Links

All Steps: https://cloud.google.com/chronicle/docs/ingestion/cloud/ingest-gcp-logs#before_you_begin

Customize Parsers

SecOps SIEM uses parsers to normalize raw logs into a common format in SecOps SIEM.

Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

New or existing SecOps SIEM deployment
Forwarder, API Feed, Ingestion API, or 3rd party generating data that needs parsed

Steps

Go to Settings > SIEM Settings
Click Create Parser
Select an appropriate log source from the Log Source list.
Select Start with Raw Logs Only to create a new parser according to your requirements.
Click Create
Type the code in the Parser Code Terminal
Click Preview
Click Validate
Click Submit

Relevant Links

All Steps: https://cloud.google.com/chronicle/docs/event-processing/manage-parser-update

Next Steps: Security Operations SIEM: Step 3 - Rules

Previous Step: Security Operations SIEM: Step 1 - OnBoarding

Security Operations SIEM: Step 3 - Rules

Fri, 11 Oct 2024 19:54:42 GMT

Below you'll find a table of contents for the Rules journey.

Rules are the backbone of ensuring data is actionable and aligned to your unique policies within SecOps. Rules allow your SecOps team to tailor information and alerting to the unique needs of your organization.

Prerequisites

Entitlement for SecOps SIEM on the account and project.

Actions

Write Rules

SecOps enables you to view telemetry, entity context, relationships, and vulnerabilities as a single detection within your account. It provides entity contextualization to enable you to understand both the behavioral patterns in telemetry and the context of those impacted entities from those patterns.

Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

Existing Chronicle instance
Proper access in Chronicle

Steps

Open the Rules Dashboard in Chronicle, select Rules.
Click on Rules Editor > New
Specifiy your source using either the
```
udm
```
or
```
entity
```
Specify the entity data
Specify UDM event data

Relevant Links

All Steps: https://cloud.google.com/chronicle/docs/detection/context-aware-analytics

View Rules

Existing rules can be copied and edited as needed. This allows the rapid creation of new rules based on existing rules, or modification of existing rules when required.

Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

Existing Chronicle instance
Existing rules

Steps

Click on Rules Editor, lets you edit existing rules and create new ones.
Use the Search rules field to search for an existing rule.
Select the rule you are interested in from the Rules List.
Use the Rules Editing window to edit existing rules and to create new rules.
Click New in the Rules Editor to open the Rules Editor Window.

Relevant Links

All Steps: https://cloud.google.com/chronicle/docs/detection/manage-all-rules

Manage Rules

SecOps enables you to view telemetry, entity context, relationships, and vulnerabilities as a single detection within your SecOps account. It provides entity contextualization to enable you to understand both the behavioral patterns in telemetry and the context of those impacted entities from those patterns.

Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

Existing Rules in SOAR
Proper access to manage rules

Steps

The Rules Editor lets you edit existing rules and create new ones.
1. Use the Search Rules field to search for an existing rule.
2. Select the rule you are interested in from the Rules List.
3. Use the Rules Editing window to edit existing rules and to create new rules.
4. Click New in the Rules Editor to open the Rules Editor Window.

Relevant Links

All Steps: https://cloud.google.com/chronicle/docs/detection/manage-all-rules

Add Qualifiers

While writing or editing rules, you might want to add additional qualifiers for the entity context.

Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

Access into Chronicle
Editing new or existing rules in the Rules Editor

Steps

In the rules editor, provide a after the event name. The must be graph.
1. Example:
```
$e.graph.entity.hostname
```
There are two equivalent methods of referring to a UDM event:
1. ```
$u.udm.principal.asset_id
```
2. ```
$u.principal.asset_id
```
Qualifiers can be mixed and matched in the rule text. You can use different qualifiers for the same event as well.

Relevant Links

All Steps: https://cloud.google.com/chronicle/docs/detection/context-aware-analytics#additional_qualifiers_for_entity_context

Define Outcomes

Detection engine supports an outcome section that allows you to derive more information from a rule. The logic from the outcome section is evaluated against each detection.

Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

Access into Chronicle
Editing new or existing rules in the Rules Editor

Steps

In the Rules editor, supply a rule following the guidance in the linked docs on the next slide.
1. An example can be found in the linked documentation.

Relevant Links

Next Steps: Security Operations SIEM: Step 4 - Custom Dashboards

Previous Step: Security Operations SIEM: Step 2 - Data Ingest

Onboarding Journey articles

Security Operations: Journey Overview

Journey

Google SecOps Journey

Actions

Security Operations: Step 1 - Administration

Prerequisites

Security Operations: Step 1.1 - Administration | Initial Config

Table of Contents

Prerequisites

Actions

Configure GCP for GSO

Prerequisites

Steps

Relevant Documentation Links

Grant Access

Prerequisites

Steps

Relevant Documentation Links

Configure IDP Integration

Prerequisites

Steps

Relevant Documentation Links

Configure 3rd Party IDP

Prerequisites

Steps

Relevant Documentation Links

Configure Access Control IAM

Prerequisites

Steps

Relevant Documentation Links

User Management

Prerequisites

Steps

Relevant Documentation Links

Security Operations: Step 1.2 - Administration | Admin Setup

Table of Contents

Actions

Access and Support

Steps

Relevant Documentation Links

Create Lists and Templates

Steps

Relevant Documentation Links

Email Notifications

Steps

Relevant Documentation Links

Data Retention & Logs

Prerequisites

Steps

Relevant Documentation Links

Security Operations: Step 2 - Ingestion

Prerequisites

Security Operations: Step 2.1 - Ingestion | Configure Data Ingest

Table of Contents

Actions

Install & Configure Forwarders

Steps

Relevant Documentation Links

Parsers

Steps

Relevant Documentation Links

Create and Manage Feeds

Steps

Relevant Documentation Links

Connectors

Prerequisites

Steps

Relevant Documentation Links

Security Operations: Step 2.2 - Ingestion | Utilize SecOps Marketplace

Table of Contents

Prerequisites

Actions

Marketplace Use-Cases

Steps

Relevant Documentation Links

Use Case Example

Marketplace Integrations

Steps

Relevant Documentation Links