Run Use Cases

Quick Summary

Google Security Operations provides a repository of use cases that you can deploy in your environment. These use cases are available for download from the Google SecOps Marketplace (for SOAR-only users) or the Content Hub (for Google Security Operations) customers. Each use case includes all the components you need to run a complete workflow, end to end.

Overview

The use case contains all the items needed to implement a workflow and installs the following:

• Test case (Simulation Case)
• Mapping & modelling configuration
• Integrations
• Connectors
• Playbooks

This allows you to see how an end-to-end security workflow will look in Google SecOps, and even use these items as a kickstart for the actual use cases you want to implement.

In the Google SecOps Marketplace, you will have a fully detailed description of the items in each use case. In addition, there may be a video showing you how to deploy the use case on mock or real data. You will usually be required to configure the integrations in the use case.

When everything is set up, you will be able to run the test cases from the Cases page.

Example: Zero to Hero Use Case

Let's run the Basic Phishing (Zero to Hero) use case from the Google SecOps Marketplace.

1. Navigate to the Google SecOps Marketplace.
2. In the Use Case tab, select the Zero to Hero use case and click Run Use Case.
3. Before you click through the wizard, we recommend you take five minutes to watch the video tutorial in this Use Case before continuing.
4. When you scroll down this screen, you will see that we have prepared two email samples for you – one malicious and one non-malicious. You can ingest these samples using the Email connector to see how they are handled by the Zero to Hero use case. In addition, on this screen are the list of items that will be downloaded. Click Next when you are ready.
5. The Install Use Case items screen lists the integrations, playbooks and simulation cases to be installed. Click Install. When installation is completed, click Next.

   

6. Make sure that all the relevant fields and parameters are defined correctly in order to configure the integrations. When everything is filled in and tested, click Next.
7. Select the alert for simulation. This automatically simulates the Case. Click Next.
8. The "Congratulations" screen is displayed. Look through the options offered and navigate to the Cases screen. Continue to Step 12.

   

9. If you did not select the alert for simulation in the Wizard, then navigate to Cases in the link , click the add sign above the cases queue and select Simulate Cases.
10. Select the Zero to Hero case and click Create.
11. Make sure to select the default environment and click Simulate.
12. Click Refresh and you will see a new Case created in Google SecOps, with a playbook attached to the alert inside.