SOAR table of contents

You can return to this table of contents at any time by clicking soar at the top of documents that are for SOAR.

Google SecOps SOAR

Product overview

Getting started

Onboard Google SecOps SOAR

Your Workdesk

Workdesk overview

Fill out a request from the workdesk

Respond to pending actions from the workdesk

View cases from the workdesk

Investigating cases and alerts

Working with cases

Cases overview

Cases screen

Case Queue header overview

Case Overview tab

Case Wall tab

Instant messaging on a case

Manage tasks from the Cases screen

Perform a manual action

Manage tags from the Cases screen

Take actions on a case

Mark a case as an incident

Simulate cases

Create a test case

How to close cases

View the contents of closed cases

Define tags in cases (Admin)

Define a default view for cases (Admin)

Gemini Summary

Add or delete case stages (Admin)

Alert Options menu in the Cases screen

View the original SIEM data in a case

Explore entities and alerts (Investigation)

Supported entity types

Navigate the Entity Explorer screen

Perform a batch action on several cases at once

Measure how long security analysts take to close or raise a Case

Add new Case Close Root Cause (Admin)

Name a case (Admin)

Create a manual case

Move a case to a new environment

Add or edit entity properties

Apply and save filters

Entity selection

Working with alerts

Alert Overview tab

Alert Playbooks tab

Change alert priority instead of case priority

Alert events tab

Alert grouping mechanism overview (Admin)

Rerun playbooks

Group your alerts (Video)

How to configure the alert overflow mechanism (Admin)

Define the default Alert view (Admin)

Handle large alerts

Work with the search screen

Ingest data

Connectors

Ingest your data using connectors

View connector logs

ElasticSearch connector: Map a custom date and time

Define environments in connectors

Webhooks

Set up a Webhook

Respond to alerts

Work with Playbooks

Overview of the Playbooks

Use triggers in playbooks

Use actions in playbooks

Use flows in playbooks

Use the Expression Builder

Work with the Playbook Simulator

Use the Playbook Navigator

Work with playbook blocks

Overview of playbook monitoring

Define customized alert views using Playbook Designer

Use alert type triggers in a playbook

Bulk actions and filters in playbooks

Use the HTML widget

Create playbook blocks (Video)

Playbook lifecycle management (Video)

Playbook bulk actions (Video)

Use the Playbook Simulator (Video)

Scan multiple URLs in VirusTotal

Put elements of the case data into an email message

Scan URLs received by email

Send messages to a phone number

Attach playbooks to an alert

Use cases for Expression Builder

Assign actions and playbook blocks

Playbook icons legend

Configure timeouts for playbook async actions

Playbook permissions

Assign approval links in actions

Use parallel actions

Use predefined widgets in playbook view

Prevent users from changing playbooks

Send an email from Google SecOps

Create playbooks with Gemini

Integrated development environment (IDE)

Use the IDE

Create a custom action

Develop a new integration (Video)

Build a custom integration

IDE custom code validation

Write jobs

Test integrations in staging mode

Integrations Setup

Configure integrations

Upgrade the Python version to 3.11

Support multiple instances

Work with an external vault system

My first integration

Requirements for publishing your first integration

My first action

My first automation (Playbook)

My first connector

Develop the connector

Configure the connector

Test the connector

Map and model alerts

My first use case

Requirements for publishing your first use case

Incident manager

Incident manager overview

Open an incident from Incident Manager

Open an incident from the Cases screen

Define departments for Incident Manager

Define auditors in the Incident Manager

Define authorized environments

Invite collaborators to Incident Manage

Work with the Incident Manager dashboard

Use the workstation

Create an incident report

Use the Incident Manager (Video)

Google SecOps Marketplace

Use the Google SecOps Marketplace

Run use cases

Power Ups

Connectors

Email utilities

Enrichment

File utilities

Functions

GitSync

TemplateEngine

Insights

Lists

Tools

Monitor and report

Dashboards

Dashboard overview

Add new dashboards

Add dashboard widgets

Example: Add a new widget to a dashboard

Overview of the dashboard screen

Reports

Understand reports

Use advanced reports in Looker

Use Looker Explores in SOAR reports

Default advanced reports in depth

Generate ROI reports (SOC Managers)

Deep dive into four advanced reports

SOAR APIs

Google SecOps SOAR APIs

Settings

Environments

Add a new environment

Create environment groups (SOAR only)

Use dynamic parameters in environments

Delete an environment

Use dynamic parameters (Video)

Environments alignment (Video)

Allow access to other environments

Permissions

Work with permission groups

View your Customer ID

Work with Roles

Work with API Keys

Allow Google Support to access your platform

Define a landing page after login

Work with users (SOAR Only)

Add a new user to the SOAR platform

Benefits of adding a collaborator user

Create a collaborator user

Create a user with view-only permission

Disable or delete a user account in SOAR

Types of users

Create a managed user

Email invitation prerequisites

Password policy (SOAR only)

Case management federation (SOAR only)

SAML overview (SOAR only)

Configure a SAML provider

SAML configuration for Workspace

SAML configuration for Microsoft Azure

SAML configuration for Okta

Configure an Okta provider (Video)

How to configure SAML (Video)

Just-in-time user provisioning

Configure multiple SAML providers

Troubleshooting common SAML Issues

Ontology

Ontology overview

Viewing model family and field mapping

Visual families

Decide what events to configure

Configure mapping and assign visual families

Work with entity delimiters

Create entities (Mapping & Modeling)

Configuration tasks

Create a block list to exclude entities from alerts

Create custom lists

Create email HTML templates

Create email templates

Define domains for MSSPs

Define requests for users (Admin)

Manage networks

Set the service-level agreement (SLA)

Use dynamic variables in email HTML templates

Advanced tasks

Open a ticket for Google Support

Control access to Google SecOps platform

Define system data retention

Monitor user activities

Rebranding

Set the time zone for all users (Admin)

Set up your email

View and change service limits

Manage property metadata

Retrieve raw Python logs

Clean up after removing SOAR

Remote Agents

Overview of remote agents

Requirements and prerequisites

Remote agents architecture

Remote agents scaling strategy

Manage remote agents

Create an agent with Docker

Create an agent with the installer on RHEL

Create an agent with the installer on CentOS

Upgrade agent Docker image

Upgrade agent with installer for RHEL

Upgrade agent with installer for CentOS

Edit remote agent

Redeploy remote agent

Installer and Docker agent configuration

Data flows and protocols

Set up integrations and connectors

Test agents

Upgrade remote agents

Deploy high availability for remote agents

Troubleshooting