Using the Google Security Operations Marketplace

Supported in:

The Google Security Operations Marketplace acts as the customer's toolbox, holding a wide range of utilities and options to choose from, including:

Integrations: includes integrations to third party applications and custom integrations that you have built in the IDE. In all cases you need to install them in this screen and then for those that need advanced configuration, you need to configure them in the Integrations screen via the Gear icon.

Use Cases: These are pre-built playbook workflows to integrate into the organizational security products for automated IR process and to optimize your Google Security Operations installation. They include predefined use cases from Google Security Operations and customer uploaded use cases to either test drive Google Security Operations functionality or incorporate into your own use cases. 

Power Ups: including tools created by Google Security Operations Professional Services that enhance customers' ability to automate processes for more efficient Playbooks.

Integrations

There are three types of integrations you can see in the Google Security Operations Marketplace:

  • Commercial – integrations to third party applications which have been developed by Google Security Operations – including new and updated ones
  • Community – integrations published by users (which have been validated by Google Security Operations and which will appear with user details next to them)
  • Custom – integrations which you have created and which are only displayed on your Google Security Operations Marketplace

Filtering Integrations

You can display the Integrations according to integration type (for example, show custom integrations, published by users) or by status (for example, installed, available update).
Integrations that have not been installed yet will have a downwards arrow on the bottom right of the box.
Click on this to successfully install the integration. For detailed information on installing and configuring an Integration, see here.

Use Cases

Use Cases enhance your ability to shorten the time to value and to see how Google Security Operations experts or community users are tackling a specific attack or any other SOC challenge.
Each Use Case contains relevant items such as integrations, Playbooks etc. in order to simulate an entire workflow from end-to-end. After deploying one of these use cases, you can choose to Simulate it in the Cases tab. In addition, you can configure the Connector, and/or edit the Playbook, of a predefined Use Cases and run it on real data.

The following actions can be carried out from this screen:
Create New Use Case: You can create your own Use Case with playbook/s, test case/s and connector/s. Click Save to save locally it in your Google Security Operations Marketplace only. You can also export it.
Publish Use Case: Click on this option to have your Use Case published for all users. Once it's uploaded, it's sent to a dedicated Google Security Operations team who will analyze it and add it to the Use Case repository for all customers and community members to use. The goal of this option is to encourage all our customers to share playbooks and use cases that can help others out with their Google Security Operations journey. You can alter your photo and user details here before sending it. These identifiers will be published for all users.
Import Use Case: Useful for importing from other platforms such as Staging.

Power Ups

These Google Security Operations tools enable users to enhance their Playbooks with various actions. The power ups do not need any special configuration as they are in-house Google Security Operations actions. New power ups will be pushed to the Google Security Operations Marketplace all the time. Click on the Read More in each power up to see what they contain.

Integrations Configure

  1. There is an option to configure each integration under a default environment by clicking after you downloaded the integration.
  2. Click to open the configuration window and will present all the fields related to the integration that are required to configure for successful connection to the product.
  3. If you would like to configure an integration under a different instance, navigate to the Integrations > Shared Instances and choose the instance you would like to configurelCasesToView the integration to.
For detailed information on all the Google SecOps Marketplace integrations, see Google SecOps Marketplace integrations.

Ontology Override

When you install or upgrade an integration, an on-screen dialog asks you whether to override the current ontology with the one provided in the new integration or to retain the existing mapping.

Overriding the ontology completely replaces the existing mapping. All existing mappings (source, product, event-type) are overwritten with the corresponding ones from the new integration, including any custom modifications. If you've made significant changes to the ontology for your specific needs, you can decline the override and retain the existing mapping in its entirety.

You can, if you wish, export the existing ontology mapping rules for that specific integration as a backup, before overriding. See also Ontology Status.