Onboard Google SecOps SOAR platform

Supported in:

This document provides a comprehensive, step-by-step guide to onboarding and configuring the Google Security Operations SOAR platform. The process is structured to establish user access, secure data ingestion, normalize data, build automation, and prepare for live operations.

Before you begin

We strongly recommend taking the training in our Google SIEM and SOAR learning path first.

Set up user access and roles

To get started, you must define a role and permission groups. If you're an MSSP, you also need to set up an environment and associate them with new users. If you manage a multi-tenant environment, you must also define environments. If required, you can also provision users to sign in using a SAML provider. For detailed instructions for each of these tasks, see the following documents:

Set up data ingestion points using connectors or webhooks

Configure connectors or webhooks to ingest alerts for analysis. This can also be achieved by downloading an entire Use Case. For detailed instructions for each of these tasks, see the following documents:

Map and model incoming data (ontology)

Control how incoming products, events, and entities are mapped and modeled. This ensures the correct information is captured and visualized. You can define this ontology configuration for yourself or choose the default mapping and modeling configuration. For detailed instructions for each of these tasks, see the following documents:

Create and test automation (playbooks)

Build automated responses using playbooks—sequential sets of manual and automated steps that respond to threats. For more information about playbooks, see the following documents:

Analyze cases and alerts

Use simulated cases and test alerts to verify configurations. Once live, analyze cases and alerts to determine triage or remediation steps. For detailed instructions for each of these tasks, see the following documents:

Need more help? Get answers from Community members and Google SecOps professionals.