You need to set up a role and a permission group. If you are an MSSP, you also
need to set up an environment. You then associate them with each new user that
you add to the platform.
If required, you can also provision users to log in using a SAML provider.
For detailed instructions for each of these tasks, see the following documents:
Set up data ingestion points using connectors or webhooks
Set up connectors or webhooks to ingest alerts into the platform in order to
analyze them. This can also be achieved by downloading an entire Use Case. For
detailed instructions for each of these tasks, see the following documents:
You can control how incoming products, events, and entities are mapped and modeled
to make sure the right information is captured. You can define this ontology configuration
for yourself or choose the default mapping and modeling configuration.
For detailed instructions for each of these tasks, see the following documents:
Google Security Operations lets you respond to threats using a sequential set of manual
and automated steps called playbooks. For more information about playbooks see the following documents:
Use simulated cases and test alerts to test your configurations and playbooks
before going live with them. After alerts are ingested and playbooks have finished
running, you can look at the cases and alerts to see what needs to be done next,
including triage or remediation steps. For detailed instructions for each of these tasks, see the following documents:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eGoogle recommends completing their Chronicle learning path before onboarding the Google Security Operations SOAR platform.\u003c/p\u003e\n"],["\u003cp\u003eSet up user roles, permission groups, and environments (especially for MSSPs), and configure SAML providers if required for user login.\u003c/p\u003e\n"],["\u003cp\u003eIngest alerts into the platform by configuring connectors or webhooks, or by downloading entire use cases.\u003c/p\u003e\n"],["\u003cp\u003eCustomize the mapping and modeling of incoming products, events, and entities using the ontology configuration to define how information is captured, or use the default settings.\u003c/p\u003e\n"],["\u003cp\u003eUtilize playbooks, which are sequences of automated and manual actions, to respond to threats, and use simulated cases and alerts to test configurations before deployment.\u003c/p\u003e\n"]]],[],null,["# Onboard Google Security Operations SOAR platform\n================================================\n\nSupported in: \n[SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n\nBefore you begin\n----------------\n\n\nGoogle strongly recommends taking the training in our [Chronicle learning path](https://www.cloudskillsboost.google/journeys/187) first.\n\nSet up users\n------------\n\n\nYou need to set up a role and a permission group. If you are an MSSP, you also\nneed to set up an environment. You then associate them with each new user that\nyou add to the platform.\n\nIf required, you can also provision users to log in using a SAML provider.\nFor detailed instructions for each of these tasks, see the following documents:\n\n- [Work with roles](/chronicle/docs/soar/admin-tasks/permissions/working-with-roles)\n- [Work with permission groups](/chronicle/docs/soar/admin-tasks/permissions/working-with-permission-groups)\n- [Add new environment](/chronicle/docs/soar/admin-tasks/environments/add-a-new-environment) (relevant mainly for MSSPs)\n- [Add a new user to the platform](/chronicle/docs/soar/admin-tasks/user-soar-only/\n how-do-i-add-a-new-user-to-the-platform)\n- [Configure external authentication](/chronicle/docs/soar/admin-tasks/saml-soar-only/external-authentication)\n\nSet up data ingestion points using connectors or webhooks\n---------------------------------------------------------\n\n\nSet up connectors or webhooks to ingest alerts into the platform in order to\nanalyze them. This can also be achieved by downloading an entire Use Case. For\ndetailed instructions for each of these tasks, see the following documents: \n\n- [Ingest your data using connectors](/chronicle/docs/soar/ingest/connectors/ingest-your-data-connectors)\n- [Set up a webhook](/chronicle/docs/soar/ingest/webhooks/setting-up-a-webhook)\n- [Run use cases](/chronicle/docs/soar/marketplace/run-use-cases)\n- [Create your own connector](/chronicle/docs/soar/respond/start-developing/my-first-connector) (for advanced users)\n\nMap and model incoming data\n---------------------------\n\n\nYou can control how incoming products, events, and entities are mapped and modeled\nto make sure the right information is captured. You can define this ontology configuration\nfor yourself or choose the default mapping and modeling configuration.\nFor detailed instructions for each of these tasks, see the following documents:\n\n- [Ontology overview](/chronicle/docs/soar/admin-tasks/ontology/ontology-overview)\n- [Create visual families](/chronicle/docs/soar/admin-tasks/ontology/visual-families)\n- [Create entities](/chronicle/docs/soar/admin-tasks/ontology/create-entities-mapping--modeling)\n\nCreate playbooks\n----------------\n\n\nGoogle Security Operations lets you respond to threats using a sequential set of manual\nand automated steps called playbooks. For more information about playbooks see the following documents:\n\n- [Overview to playbooks](/chronicle/docs/soar/respond/working-with-playbooks/\n whats-on-the-playbooks-screen)\n- [Create your first playbook](/chronicle/docs/soar/respond/start-developing/my-first-automation)\n- [Run a use case from\n the Marketplace](/chronicle/docs/soar/marketplace/run-use-cases)\n- [Work with playbook simulator](/chronicle/docs/soar/respond/working-with-playbooks/working-with-playbook-simulator)\n\nAnalyze cases and alerts\n------------------------\n\n\nUse simulated cases and test alerts to test your configurations and playbooks\nbefore going live with them. After alerts are ingested and playbooks have finished\nrunning, you can look at the cases and alerts to see what needs to be done next,\nincluding triage or remediation steps. For detailed instructions for each of these tasks, see the following documents: \n\n- [Cases overview](/chronicle/docs/soar/investigate/working-with-cases/cases-overview)\n- [Simulate a case](/chronicle/docs/soar/investigate/working-with-cases/simulate-cases)\n- [Perform manual actions](/chronicle/docs/soar/investigate/working-with-cases/perform-a-manual-action)\n- [Explore alerts](/chronicle/docs/soar/investigate/working-with-alerts/whats-on-the-alert-overview-tab)\n- [Navigate Entity Explorer page](/chronicle/docs/soar/investigate/working-with-cases/navigating-the-entity-explorer-screen)\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
