Google Security Operations provides a repository of use cases that you can deploy in your environment. These use cases are available for download from the Google SecOps Marketplace (for SOAR-only users) or the Content Hub (for Google Security Operations) customers. Each use case includes all the components you need to run a complete workflow, end to end.
Overview
The use case contains
all the items needed to implement a workflow and installs the following:
Test case (Simulation Case)
Mapping & modelling configuration
Integrations
Connectors
Playbooks
This allows you to see how an end-to-end security workflow will look in
Google SecOps, and even use these items as a kickstart for the actual use
cases you want to implement.
In the Google SecOps Marketplace, you will have a fully detailed description of the items in
each use case. In addition, there may be a video showing you how to deploy the
use case on mock or real data. You will usually be required to configure the
integrations in the use case.
When everything is set up, you will be able to run the test cases from the
Cases page.
Example: Zero to Hero Use Case
Let's run the Basic Phishing (Zero to Hero) use case from the Google SecOps Marketplace.
Navigate to the Google SecOps Marketplace.
In the Use Case tab, select the Zero to Hero use case and click Run Use
Case.
Before you click through the wizard, we recommend you take five minutes to
watch the video tutorial in this Use Case before continuing.
When you scroll down this screen, you will see that we have prepared two
email samples for you – one malicious and one non-malicious. You can
ingest these samples using the Email connector to see how they are handled
by the Zero to Hero use case. In addition, on this screen are the list of
items that will be downloaded. Click Next when you are ready.
The Install Use Case items screen lists the integrations, playbooks and
simulation cases to be installed. Click Install. When installation is
completed, click Next.
Make sure that all the relevant fields and parameters are defined correctly
in order to configure the integrations. When everything is filled in and
tested, click Next.
Select the alert for simulation. This automatically simulates the Case.
Click Next.
The "Congratulations" screen is displayed. Look through the
options offered and navigate to the Cases screen. Continue to Step 12.
If you did not select the alert for simulation in the Wizard, then navigate
to Cases in the link , click the
add
sign above the cases queue and select Simulate Cases.
Select the Zero to Hero case and click Create.
Make sure to select the default environment and click Simulate.
Click Refresh and you will see a new Case created in Google SecOps, with a
playbook attached to the alert inside.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eGoogle Security Operations provides pre-built use cases, available in the Google SecOps Marketplace, that offer ready-to-deploy security workflows for your environment.\u003c/p\u003e\n"],["\u003cp\u003eEach use case package includes all necessary components for implementation, such as test cases, mappings, integrations, connectors, and playbooks, to help in having a full security workflow.\u003c/p\u003e\n"],["\u003cp\u003eThe Google SecOps Marketplace features detailed descriptions of each use case, as well as video tutorials on deployment, with additional steps for configuring the necessary integrations.\u003c/p\u003e\n"],["\u003cp\u003eUsers can run test cases directly from the Cases page, or simulate cases, like the Basic Phishing (Zero to Hero) example, to visualize and test the security workflow in action.\u003c/p\u003e\n"],["\u003cp\u003eThe google cloud security community link provided allows users to get assistance from community members and Google SecOps professionals.\u003c/p\u003e\n"]]],[],null,["# Run Use Cases\n=============\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n\nQuick Summary\n-------------\n\n\nGoogle Security Operations provides a repository of use cases that you can deploy in your environment. These use cases are available for download from the Google SecOps Marketplace (for SOAR-only users) or the Content Hub (for Google Security Operations) customers. Each use case includes all the components you need to run a complete workflow, end to end.\n\n*** ** * ** ***\n\nOverview\n--------\n\n\nThe use case contains\nall the items needed to implement a workflow and installs the following:\n\n- Test case (Simulation Case)\n- Mapping \\& modelling configuration\n- Integrations\n- Connectors\n- Playbooks\n\n\nThis allows you to see how an end-to-end security workflow will look in\nGoogle SecOps, and even use these items as a kickstart for the actual use\ncases you want to implement.\n\n\nIn the Google SecOps Marketplace, you will have a fully detailed description of the items in\neach use case. In addition, there may be a video showing you how to deploy the\nuse case on mock or real data. You will usually be required to configure the\nintegrations in the use case.\n\n\nWhen everything is set up, you will be able to run the test cases from the\nCases page.\n\nExample: Zero to Hero Use Case\n------------------------------\n\n\nLet's run the Basic Phishing (Zero to Hero) use case from the Google SecOps Marketplace.\n\n1. Navigate to the **Google SecOps Marketplace**.\n2. In the Use Case tab, select the Zero to Hero use case and click Run Use Case.\n3. Before you click through the wizard, we recommend you take five minutes to watch the video tutorial in this Use Case before continuing.\n4. When you scroll down this screen, you will see that we have prepared two email samples for you -- one malicious and one non-malicious. You can ingest these samples using the Email connector to see how they are handled by the Zero to Hero use case. In addition, on this screen are the list of items that will be downloaded. Click Next when you are ready.\n5. The Install Use Case items screen lists the integrations, playbooks and simulation cases to be installed. Click Install. When installation is completed, click Next. [](/static/chronicle/images/soar/runusecases1.png)\n6. Make sure that all the relevant fields and parameters are defined correctly in order to configure the integrations. When everything is filled in and tested, click Next.\n7. Select the alert for simulation. This automatically simulates the Case. Click Next.\n8. The \"Congratulations\" screen is displayed. Look through the options offered and navigate to the Cases screen. Continue to Step 12. [](/static/chronicle/images/soar/runusecases2.png)\n9. If you did not select the alert for simulation in the Wizard, then navigate to Cases in the link , click the add sign above the cases queue and select Simulate Cases.\n10. Select the Zero to Hero case and click Create.\n11. Make sure to select the default environment and click Simulate.\n12. Click Refresh and you will see a new Case created in Google SecOps, with a playbook attached to the alert inside.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
