Onboard Google SecOps platform (SOAR side only)
Before you begin
Google strongly recommends taking the training in the Chronicle learning path first.
Set up user groups
You need to create or select a predefined SOC role and a permission group and then map them with the IdP groups received from the SIEM setup. For detailed instructions for each of these tasks, see the following documents:
Set up data ingestion points using connectors or webhooks
Set up connectors or webhooks to ingest alerts into the platform to analyze them.
This can also be achieved by downloading an entire use case. For detailed instructions
for each of these tasks, see the following documents:
- Ingest your data using connectors
- Ingest your data using webhooks
- Run a use case from the Marketplace
- Create your own connector (for advanced users)
Map and model incoming data
You can control how incoming products, events, and entities are mapped and modeled to make sure the right information is captured. You can define this ontology configuration for yourself or choose the default mapping and modeling configuration. For detailed instructions for each of these tasks, see the following documents:
Create playbooks
Google Security Operations lets you respond to threats using a sequential set of manual and automated steps called playbooks. For more information about playbooks, refer to the following documents:
- What's on the playbooks screen
- Create your first automation (playbook)
- Run a use case from the Marketplace
- Work with Playbook Simulator
Analyze cases and alerts
Use simulated cases and test alerts to test your configurations and playbooks
before going live with them.
After alerts are ingested and playbooks have finished running, you can look at the
cases and alerts to see what needs to be done next, including triage or
remediation steps. For detailed instructions for each of these tasks, see the
following documents: