SOAR table of contents
You can return to this table of contents at any time by clicking at the top of documents that are for SOAR.
Google SecOps SOAR
Your Workdesk
Fill out a request from the workdesk
Respond to pending actions from the workdesk
Investigating cases and alerts
Working with cases
Manage tasks from the Cases screen
Manage tags from the Cases screen
View the contents of closed cases
Define a default view for cases (Admin)
Add or delete case stages (Admin)
Alert Options menu in the Cases screen
View the original SIEM data in a case
Explore entities and alerts (Investigation)
Navigate the Entity Explorer screen
Perform a batch action on several cases at once
Measure how long security analysts take to close or raise a Case
Add new Case Close Root Cause (Admin)
Move a case to a new environment
Working with alerts
Change alert priority instead of case priority
Alert grouping mechanism overview (Admin)
How to configure the alert overflow mechanism (Admin)
Define the default Alert view (Admin)
Search
Ingest data
Connectors
Ingest your data using connectors
ElasticSearch connector: Map a custom date and time
Define environments in connectors
Webhooks
Respond to alerts
Work with Playbooks
Work with the Playbook Simulator
Overview of playbook monitoring
Define customized alert views using Playbook Designer
Use alert type triggers in a playbook
Bulk actions and filters in playbooks
Create playbook blocks (Video)
Playbook lifecycle management (Video)
Use the Playbook Simulator (Video)
Scan multiple URLs in VirusTotal
Put elements of the case data into an email message
Send messages to a phone number
Use cases for Expression Builder
Assign actions and playbook blocks
Configure timeouts for playbook async actions
Assign approval links in actions
Use predefined widgets in playbook view
Prevent users from changing playbooks
Send an email from Google SecOps
Integrated development environment (IDE)
Develop a new integration (Video)
Test integrations in staging mode
Integrations Setup
Upgrade the Python version to 3.11
Work with an external vault system
Requirements for publishing your first integration
My first automation (Playbook)
Requirements for publishing your first use case
Incident manager
Open an incident from Incident Manager
Open an incident from the Cases screen
Define departments for Incident Manager
Define auditors in the Incident Manager
Define authorized environments
Invite collaborators to Incident Manage
Work with the Incident Manager dashboard
Use the Incident Manager (Video)
Google SecOps Marketplace
Use the Google SecOps Marketplace
Power Ups
Monitor and report
Dashboards
Example: Add a new widget to a dashboard
Overview of the dashboard screen
Reports
Use advanced reports in Looker
Use Looker Explores in SOAR reports
Default advanced reports in depth
Generate ROI reports (SOC Managers)
Deep dive into four advanced reports
SOAR APIs
Settings
Environments
Create environment groups (SOAR only)
Use dynamic parameters in environments
Use dynamic parameters (Video)
Environments alignment (Video)
Allow access to other environments
Permissions
Allow Google Support to access your platform
Define a landing page after login
Work with users (SOAR Only)
Add a new user to the SOAR platform
Benefits of adding a collaborator user
Create a user with view-only permission
Disable or delete a user account in SOAR
Email invitation prerequisites
Case management federation (SOAR only)
SAML overview (SOAR only)
SAML configuration for Workspace
SAML configuration for Microsoft Azure
Configure an Okta provider (Video)
Just-in-time user provisioning
Configure multiple SAML providers
Troubleshooting common SAML Issues
Ontology
Viewing model family and field mapping
Decide what events to configure
Configure mapping and assign visual families
Create entities (Mapping & Modeling)
Configuration tasks
Create a block list to exclude entities from alerts
Define requests for users (Admin)
Set the service-level agreement (SLA)
Use dynamic variables in email HTML templates
Advanced tasks
Open a ticket for Google Support
Control access to Google SecOps platform
Set the time zone for all users (Admin)
View and change service limits
Remote Agents
Requirements and prerequisites
Remote agents scaling strategy
Create an agent with the installer on RHEL
Create an agent with the installer on CentOS
Upgrade agent with installer for RHEL
Upgrade agent with installer for CentOS
Installer and Docker agent configuration
Set up integrations and connectors
Deploy high availability for remote agents