Run Use Cases
Quick Summary
Google Security Operations provides a repository for use cases developed by Google Security Operations that can be deployed in your environment. The use cases are available for download from the Google Security Operations Marketplace. Each use case contains the items required for an end-to-end execution of a workflow.
Overview
The use case contains all the items needed to implement a workflow and installs the following:
- Test case (Simulation Case)
- Mapping & modelling configuration
- Integrations
- Connectors
- Playbooks
This allows you to see how an end-to-end security workflow will look in Google Security Operations, and even use these items as a kickstart for the actual use cases you want to implement.
In the Google Security Operations Marketplace, you will have a fully detailed description of the items in each use case. In addition, there may be a video showing you how to deploy the use case on mock or real data. You will usually be required to configure the integrations in the use case.
When everything is set up, you will be able to run the test cases from the Cases page.
Example: Zero to Hero Use Case
Let's run the Basic Phishing (Zero to Hero) use case from the Google Security Operations Marketplace.
- Navigate to the Google Security Operations Marketplace.
- In the Use Case tab, select the Zero to Hero use case and click Run Use Case.
- Before you click through the wizard, we recommend you take five minutes to watch the video tutorial in this Use Case before continuing.
- When you scroll down this screen, you will see that we have prepared two email samples for you – one malicious and one non-malicious. You can ingest these samples using the Email connector to see how they are handled by the Zero to Hero use case. In addition, on this screen are the list of items that will be downloaded. Click Next when you are ready.
- The Install Use Case items screen lists the integrations, playbooks and simulation cases to be installed. Click Install. When installation is completed, click Next.
- Make sure that all the relevant fields and parameters are defined correctly in order to configure the integrations. When everything is filled in and tested, click Next.
- Select the alert for simulation. This automatically simulates the Case. Click Next.
- The "Congratulations" screen is displayed. Look through the options offered and navigate to the Cases screen. Continue to Step 12.
- If you did not select the alert for simulation in the Wizard, then navigate to Cases in the link , click the add sign above the cases queue and select Simulate Cases.
- Select the Zero to Hero case and click Create.
- Make sure to select the default environment and click Simulate.
- Click Refresh and you will see a new Case created in Google Security Operations, with a playbook attached to the alert inside.